You are viewing limited content. For full access, please sign in.

Question

Question

Kerboros KRB_AP_ERR_MODIFIED ERROR

Laserfiche
Updated January 24, 2018
asked on December 7, 2016

Lately on just about every laserfiche 10 upgrade ive done, after the upgrade most of the servers are receiving an error in there event log- 

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ----. The target name used was --------. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (--------) is different from the client domain (--------), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

Is there a reason why this keeps happening after version 10 update? we've seen it on about 4-5 servers after the upgrade. 

 

0 0

Replies

replied on December 7, 2016

Hi Brandon,

 

I went through this issue before as well. I can't remember exactly what we did to correct it or if it went away.

 

Here are some ideas:

 

1) Verify the account being used in the Services is the same as the one used prior to install. This account is asked for during installation/upgrades. If they are not the same, and kerberos was setup for the other, this is a cause for receiving the error.

2) Clear the cached kerberos tickets and restart the services. "klist purge" - http://setspn.blogspot.com/2010/06/kerberos-basic-troubleshooting-tip-1.html  

 

Cheers,

Carl

0 0
replied on January 24, 2018

Update - 

 

Just experienced this issue again and can provide more clarity.

 

Scenario: LFDS running with a managed service account.

 

Event: During upgrade/install, this MSA account cannot be supplied but can be switched to it after by manually changing the Application Pool Identity in IIS and the account the Laserfiche Directory Service runs as in Services.

 

After switching the accounts and restarting the services and app pools, open a command prompt and clear all the kerberos tickets initiated by the previous process identity with "klist purge". 

 

Note: make sure the identity you are using uses the same name as before, if one is a fully qualified domain name prefix and an alias was used, this error denoted above can also be thrown.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...