Hi all,
I am getting repeated kerberos errors which say the following:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 9/9/2015 8:53:35 AM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: clusnode1.mydomain.loc
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server clusnode1$. The target name used was HTTP/ClustA.mydomain.loc. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This
error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password.
If the server name is not fully qualified, and the target domain (mydomain.LOC) is different from the client domain (mydomain.LOC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Clusnode1 is part of a two node cluster. I am getting similar error messages for clusnode2 with the same HTTP/ClustA account. What I have tried so far is run the following command:
setspn -a HTTP/ClustA.mydomain.loc clusnode1
setspn -a HTTP/ClustA.mydomain.loc clusnode2
I soon realized that I couldn't register it on clusnode2. After researching it seems I can only register the HTTP account to one resource. So I unregistered it from clusnode1 then reregistered it to the cluster node name...that way at least it
will follow the active node (or so I am thinking).
setspn -a HTTP/ClustA.mydomain.com SQLCluster.mydomain.loc
Since I did this I am no longer seeing event ID 4 for clusnode1$ but I am still seeing that event for clusnode2$.
I have been researching this for a good amount of time, but can't seem to find an answer for a clustered setup. How can I clear this error for good on a cluster? Is there something I am doing wrong?