Outlines basic troubleshooting strategies. Summarizes issues that typically cause problems with Kerberos authentication. Lists Kerberos error messages, possible causes, and possible resolutions. Describes tools commonly used to troubleshoot Kerberos authentication problems.
Explains how to troubleshoot delegation issues that can arise in Kerberos authentication scenarios. Summarizes required infrastructure and describes Windows authentication scenarios. Appendices detail diagnostic tools and examples of IIS to SQL delegation scenarios.
Troubleshooting Kerberos Authentication Issue
Published on Oct 25, 2011 by Wei Zhao
KRB_AP_ERR_MODIFIED is a common Kerberos failure message. This means some encrypted Kerberos authentication data sent by the client did not decrypt properly at the server.
When a Kerberos client requests a ticket for a specific service, the service is actually identified by its SPN. The KDC grants the client a service ticket that is encrypted using service’s secret key. Basically, the AD account password that that matches the SPN requested.
Under some scenarios, KDC may generate a service ticket that encrypted with password of a wrong account (or not expected one). Then, when client provide that ticket to the service for authentication, the service can’t decrypt it and authentication failed with KRB_AP_ERR_MODIFED.
In short, this happens because KDC issued a ticket encrypted using password of account A, but on the service side, it tries to decrypt this using the password of account B.
Common cause for this are duplicated SPN, wrong DNS settings, two computers in different domains have the same name, client requests wrong SPN. And from IIS 7, it may due to the wrong setting of IIS (kernel/user mode authentication).