We currently have three instances of Laserfiche running in the business and we use single-sign on for users to access the web client. This was all working as expected until windows updates were implemented onto our servers in December, since then we have been getting constant Kerberos errors on two of our servers (both on windows server 2019) .

Error: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SVC-CF-Laserfiche. The target name used was (server name). This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain  is different from the client domain , check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

If we only leave windows authentication enabled, when users try and access the web client, they are stuck in a constant re-direct loop. We are using a workaround at the moment so users can manually log on (anonymous authentication has been enabled in IIS).

Our third server was running on windows server 2012 and this continued to work as expected with the same settings. This server has recently been upgraded to 2019 with the same updates/patches and this continues to work as expected.

We are at a loss what we need to do now to get the single sign-on back up and running.