Windows Authentication KRB5KRB_AP_ERR_MODIFIED

authenticationiis-7.5kerberosspn

Let me preface by saying, I've been on this issue for about a week and a half now and I can't figure it out. I think I'm close, but every time I've thought that so far, I was wrong. I've looked at every forum post I can think to search for and nothing has worked.

I am simply trying to make my web application and its respective service use windows authentication so that, in code, I can pull the currently logged in user's credentials, without prompting them, and pass them to my database stored procedure via my service.

Sounds easy enough, right?

WRONG!

With WireShark running, I keep getting a response of KRB_ERROR (30) with further details of:

error_code: KRB5KRB_AP_ERR_MODIFIED (41)

I'll be trying this tomorrow, but I thought I'd post now in case someone has an idea as to why I keep getting the KRB5KRB_AP_ERR_MODIFIED error based on my current setup that I'll list below.

Here's my current setup:

Windows Server 2008 R2 Standard SP1 64-bit 4.00 GB RAM.

For the sake of this post, we'll call this server DALDEP01.TEST.LOCAL, and on it I have the following:

  • MS SQL Server 2008 R2 which has a database we'll call Deploy.

    1. Only one user account has access to the Deploy db which is TEST\DeploySvc.

    2. This user account is a datareader / datawriter and has been granted EXEC.

  • IIS 7.5 which hosts 2 web sites:

    1. Deploy.Service that makes CRUD operations against the Deploy db.

    2. Deploy.Web that hosts a Silverlight 4 application which makes calls to the Deploy.Service.

    3. Both sites are configured identically (because I'm not sure how else to do it):

      • They use DeployAppPool which runs under custom user account TEST\DeploySvc.

      • Anonymous Authentication is Disabled.

      • Windows Authentication is Enabled

        1. Extended Protection is Accept.

        2. Enable Kernel-mode authentication is Checked.

        3. Providers are just Negotiate, as I removed NTLM because I only want Kerberos.

  • SPNs are configured as follows:

          C:\> setspn -l deploysvc

          Registered ServicePrincipalNames for CN=DeploySvc,OU=Services Accounts,DC=test,DC=local:
                  HTTP/deploy.test.local
                  HTTP/deploy

Best Answer

It's possible for a duplicate SPN to cause this issue...

setspn -X

...will show you if there are any duplicates in your domain and you will need to remove the offending one. Or you could use the SPN Query Utility. I'm also assuming you've already modified the delegation tab in AD for the service account so it's trusted for delegation?

Related Topic