I have two new Domain Controllers on new Forest. Servers have DFS and IIS services installed. Everything seemed to go Ok for a While. After updating servers I got new errors. Now once in hour aditional Domain controller IIS2 is making these errors to event log:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server iis2$. The target name used was
E3514235-4B06-11D1-AB04-00C04FC2DCD2/d170f7fc-6f05-4ea5-9dee-a657e3de019b/example.com@example.com.
This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server
principal name (SPN) is registered on an account other than the
account the target service is using. Ensure that the target SPN is
only registered on the account used by the server. This error can also
happen if the target service account password is different than what
is configured on the Kerberos Key Distribution Center for that target
service. Ensure that the service on the server and the KDC are both
configured to use the same password. If the server name is not fully
qualified, and the target domain (example.com) is different from the
client domain (example.com), check if there are identically named
server accounts in these two domains, or use the fully-qualified name
to identify the server.
What does this really mean? What should I do to fix this problem? How to start…
Those server are new ones, I even tryed to reinstall servers with same roles. Every time same kind of kerberos erros occurs. Previous time it was somemethin to di with Ldap, and now this…
Best Answer