Windows cannot log in / Kerberos client received KRB_AP_ERR_MODIFIED error from server

Recently, the company's computers and servers have been unable to log in,The message only tells that the password is wrong,Most computers can log in after rebooting,One of the servers is to log in to the local account,Re-add domain to login。


After checking the incident record,Find a record that may be relevant:

Kerberos client receives KRB_AP_ERR_MODIFIED error from server xxx $。The target name used is LDAP / xxx。This means that the target server cannot decrypt the ticket provided by the client。When the target server principal name (SPN) Not when logging in with the same account as the target service is using,This happens。Please make sure the target SPN is only registered on the account used by the server。When the target service account password is different from the account password set for the target service in the Kerberos Key Distribution Center,This will also happen。Please make sure the service and KDC on the server are set to use the same password。If the server name is not a fully qualified name,And the target domain (xxx.COM.TW) Client domain (xxx.COM.TW) different,Please check if there is a server account with the same name in both domains,Or use the fully qualified name to identify the server。


After searching online articles,Found "Jason's Computer Gym" This article,The solution is to reset the problem mentioned in the event log DC administrator password (machine account password)。Also in "The Back of MIS" This Netizens mentioned in the Q & A at the bottom of the article,This problem occurs,It seems that because the DC slave 2003 Rise 2016 Only met later,And we are in the same environment。Provided by the netizen Microsoft Article View,Simply because 2012 Windows after R2 uses AES encryption,But 2003 Does not support;And 2012 R2 also does not support the old DES encryption method。And the latest update of the article mentioned that it has been released later hotfix files,But when I actually want to install,I will see a message that my environment does not match,So I still solve it by ordering the password reset,Proceed as follows:


◎ Changed the "Startup Type" of the "Kerberos Key Distribution Center" service on the target DC server to “Manual”,Then reboot。


◎ Run the following commands as the system administrator:

netdom resetpwd /server:DC電腦名稱 /ud:網域名稱\administrator /pd:administrator的密碼


◎ Restart again,After restarting, change the "Activation Type" of the "Kerberos Key Distribution Center" service to “automatic” To。


Other,If your "domain function level" is 2003,The User operating system is Windows 8 the above,Password error when User logs in,And the event record is the same as described above,This should be the problem of the excessive gap between the two versions,You can try to increase the "domain function level" to 2008 Above to solve this problem。



Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.