rilpoint_mw113

Troubleshooting Kerberos

Microsoft Support

How to troublshoot Kerberos errors in IIS

KRB_AP_ERR_MODIFIED

Source: Jesper Mchristensen

  • Duplicate DNS entries

Most of the configurations gives the KRB_AP_ERR_MODIFIED error because of old DNS entries on your DNS server are not removed. Simply remove these so you only have one IP address per server and one server per IP address (use the sort on the DNS Manager to find duplicates). Also check the reverse lookup zone as the Kerberos use this lookup to make the server-match. And remember the replication delay for other DNS servers and the DNS-timeout on clients before testing – better wait a couple of minutes (or up to 30 min. for auto-repl.)

  • Multiple or missing SPN entries

The SPN’s are configured and centrally stored in your KDC in Active Directory. You only need mapping the http-type to your Application Pool account. If you map these to more accounts/servers or do not map those correctly you get the error. Remember that the host-type is used if no http are configured. Check for multiple mappings with the command: 

   ldifde -d "dc=domain,dc=local" -r "servicePrincipalName=http*" -p subtree -l "dn,servicePrincipalName" -f output.txt


The http/NETBIOS and http/FQDN must only appear on one of the objects. Remove the ones that are not on the Application Pool Account. And if none is configured for that account you must of course map the SPN to it.

Note: It could be that the SPN’s are case-senstitive, so check your server- and domain-names just in case! (See Shane Young’s blog entry)

  • Computer account secure connection

Some clients/servers fail to setup a correct secure connection with the domain. If this happens you need to reset and rebuild this. Follow this link to Microsoft Knowledgebase article KB216393 http://support.microsoft.com/kb/216393/en-us for instructions.

If your server/client has been cloned you need to generate a new security ID (SID) and the recommended way to do this is to run the Microsoft sysprep-utility. Another way is to use the former Sysinternals, now Microsoft, utility NewSID.

  • Issues with the MTU Size

The network packets that are send through the wires have a certain length. If an account is member of a large number of groups this have been seen. Another way to deal with the MTU-problem is to force the Kerberos to use TCP. You can find information about this in Microsoft knowledgebase article KB244474 (http://support.microsoft.com/kb/244474/en-us)


  • Other problems with Kerberos: Check event logs
    • Time difference on the servers/clients
    • Firewall restrictions on the servers/clients
Retrieved from "http://wiki.wahidsaleemi.com/Pages/Troubleshooting_Kerberos"
Skin by RIL Partner