Jump to content

Kerberos error event ID:4

Guest Adam Raff

By Guest Adam Raff
in Windows 2003 Server

 Share

Recommended Posts

Guest Adam Raff

Guest Adam Raff

Posted
Posted

Good Day,

 

We have a computer Windows XP SP2 that I just put onto our network which

replaces an older computer. The old computer name was flexprintserver and

the new computer is called hpprintcut.

 

I created hpprintcut about three weeks ago and added it to domain (Windows

2003 SP1). Yesterday I replaced the systems, turned off the old system

removed it from the network and then put the new one in the same location

and turned it on. I have not seen any errors in the new computers event

logs but noticed the following errors on our servers which are both DC's.

Since the other computer is not even plugged in I am confused on what it's

saying as these two names are totally different as can be. If anybody has

any ideas on this matter it would be a great help.

 

 

 

 

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 4/9/2008

Time: 11:16:34 PM

User: N/A

Computer: Server

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server

FLEXPRINTSERVER$. The target name used was cifs/hpprintcut.hspop.net. This

indicates that the password used to encrypt the kerberos service ticket is

different than that on the target server. Commonly, this is due to

identically named machine accounts in the target realm (Company.NET), and

the client realm. Please contact your system administrator.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

 

Thanks

Adam Raff

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Kerberos error event ID:4

 

Dear Customer,

 

Thank you for posting in newsgroup.

 

According to the description, you have encountered the Kerberos error

(Event ID 4) on both of the DCs after you replaced the old computer

"flexprintserver" with the new computer "hpprintcut" in the domain. If I

have any misunderstanding, please feel free to let me know.

 

For troubleshooting this error, I would like to confirm some information

with you firstly.

 

Information Needed:

======================

 

1. Did you make the old computer "flexprinterserver" normally quit the

Windows 2003 domain?

 

2. Does the new computer and the old computer hold the same IP address?

 

Analysis:

================

 

This event will occur if you present a service ticket to a principal

(target computer) which cannot be decrypted by the target. The service

ticket is encrypted using the shared secret of the machine account's

password as a seed for the resulting encryption used on the service ticket.

This ensures that only the KDCs (DCs) and the target principal can decrypt

the ticket. The client presents encrypted ticket it received from the KDC

to the target server. If the server can decrypt the ticket, the server then

knows that it was encrypted by a trusted source (the DC) and the presenter

(the client) is also trusted. If shared secret (machine account password)

used to encrypt the ticket is different between the KDC and the target

machine, the ticket cannot be decrypted and the failure occurs.

 

Suggestions:

=============

 

1. Please launch "Active Directory Users and Computers" on the domain

controller, expand the domain and in the container of "Computer", please

ensure old computer account "flexprintserver" has been removed and the new

computer account "hpprintcut" exists.

 

2. Please verify that IP address of the new computer exists in the DNS

Server and the IP address is correctly pointed to the new server. You may

run "ipconfig /flushdns" to flush the DNS cache and then run "ipconfig

/registerdns" on the new computer "hpprintcut" to manually register the DNS

record.

 

3. Please verify that the IP address of the old computer "flexprintserver"

has been removed in the DNS Server; in addition, please ensure that no

"flexprintserver" A or Alias records exist in DNS.

 

4. Please also perform check in WINS to ensure that no "Flexprintserver"

records exist.

 

5. Please check if the issue re-occurs, if possible, you may make the new

computer re-join the Windows 2003 domain.

 

6. I would like to suggest that you install and apply the service pack 2

for Windows Server 2003 on all the domain controllers.

 

Reference:

============

 

How to obtain the latest service pack for Windows Server 2003

http://support.microsoft.com/kb/889100

 

Hope all the information will be helpful.

 

I look forward to your reply and thank you for your time.

 

David Shen

Microsoft Online Partner Support

Guest Adam Raff

Guest Adam Raff

Posted
Posted

Re: Kerberos error event ID:4

 

1: What do you mean by normally quit. I just shut down the computer.

 

2: Yes they had the same IP address

 

Please see below with your following info

 

Suggestions:

1: Not Yet

2:Did this already and ran ipconfig on new system HPprintcut

3:Did this as well

4:I looked in Wins but did not see any IP or name listed

5:Next option if I have to

6: I am working on that as we write hope to have it done in two months

 

 

"David Shen [MSFT]" <v-dashen@online.microsoft.com> wrote in message

news:nL5FEn5mIHA.4932@TK2MSFTNGHUB02.phx.gbl...

> Dear Customer,

>

> Thank you for posting in newsgroup.

>

> According to the description, you have encountered the Kerberos error

> (Event ID 4) on both of the DCs after you replaced the old computer

> "flexprintserver" with the new computer "hpprintcut" in the domain. If I

> have any misunderstanding, please feel free to let me know.

>

> For troubleshooting this error, I would like to confirm some information

> with you firstly.

>

> Information Needed:

> ======================

>

> 1. Did you make the old computer "flexprinterserver" normally quit the

> Windows 2003 domain?

>

> 2. Does the new computer and the old computer hold the same IP address?

>

> Analysis:

> ================

>

> This event will occur if you present a service ticket to a principal

> (target computer) which cannot be decrypted by the target. The service

> ticket is encrypted using the shared secret of the machine account's

> password as a seed for the resulting encryption used on the service

> ticket.

> This ensures that only the KDCs (DCs) and the target principal can decrypt

> the ticket. The client presents encrypted ticket it received from the KDC

> to the target server. If the server can decrypt the ticket, the server

> then

> knows that it was encrypted by a trusted source (the DC) and the presenter

> (the client) is also trusted. If shared secret (machine account password)

> used to encrypt the ticket is different between the KDC and the target

> machine, the ticket cannot be decrypted and the failure occurs.

>

> Suggestions:

> =============

>

> 1. Please launch "Active Directory Users and Computers" on the domain

> controller, expand the domain and in the container of "Computer", please

> ensure old computer account "flexprintserver" has been removed and the new

> computer account "hpprintcut" exists.

 

>

> 2. Please verify that IP address of the new computer exists in the DNS

> Server and the IP address is correctly pointed to the new server. You may

> run "ipconfig /flushdns" to flush the DNS cache and then run "ipconfig

> /registerdns" on the new computer "hpprintcut" to manually register the

> DNS

> record.

 

>

> 3. Please verify that the IP address of the old computer "flexprintserver"

> has been removed in the DNS Server; in addition, please ensure that no

> "flexprintserver" A or Alias records exist in DNS.

>

> 4. Please also perform check in WINS to ensure that no "Flexprintserver"

> records exist.

>

> 5. Please check if the issue re-occurs, if possible, you may make the new

> computer re-join the Windows 2003 domain.

>

> 6. I would like to suggest that you install and apply the service pack 2

> for Windows Server 2003 on all the domain controllers.

>

> Reference:

> ============

>

> How to obtain the latest service pack for Windows Server 2003

> http://support.microsoft.com/kb/889100

>

> Hope all the information will be helpful.

>

> I look forward to your reply and thank you for your time.

>

> David Shen

> Microsoft Online Partner Support

>

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Kerberos error event ID:4

 

Dear Customer,

 

Thanks for your feedback.

 

For your concern, here is some information which may be helpful for you.

 

Analysis and Suggestion:

======================

 

I meant that the member server "flexprinterserver" quit the Windows 2003

domain and join to the workgroup mode. If the old server doesn't quit the

domain, and then the new server "hpprintcut" add to the domain with the

same IP address of the old server, this may cause some potential problems

afterwards.

 

I don't want to push you, here is suggestion just for your reference, after

that, please check if the issue will re-occur.

 

I would like to suggest that you manully remove the old computer account

"flexprintserver" in the "Active Directory Users and Computers" console and

verify that the new computer account "hpprintcut" exists. In the DNS

server, please check A record of the new server with the IP address exists

and the A record of the old server is removed. If possible, please quit the

new server from the domain and then make it rejoin the domain to build the

security computer account automatically in the domain.

 

Hope the issue will be resolved soon.

 

Thanks for your time.

 

David Shen

Microsoft Online Partner Support

Guest Adam Raff

Guest Adam Raff

Posted
Posted

Re: Kerberos error event ID:4

 

Hi David,

 

Thanks for your help,

 

After going through there records in DNS I found some old stuff that

refereed back to the old computer. I deleted them from both DNS servers and

disabled the old account for now. I will deleted it once everything checks

out. I like to be able to put the old system back on even if I give it a

new address such as DHCP if we need something off of the system.

 

When you remove a system by changing it from Domain to workgroup. Does that

also remove the computer name as well out of AD? Is there any difference

between doing it that way or just deleting it when you are done?

 

Otherwise as of this morning when we turned the system on I have not seen

any errors. I am still waiting to see if we get some later today.

 

Thanks for your help.

Adam Raff

 

 

"David Shen [MSFT]" <v-dashen@online.microsoft.com> wrote in message

news:uLhYSghnIHA.4932@TK2MSFTNGHUB02.phx.gbl...

> Dear Customer,

>

> Thanks for your feedback.

>

> For your concern, here is some information which may be helpful for you.

>

> Analysis and Suggestion:

> ======================

>

> I meant that the member server "flexprinterserver" quit the Windows 2003

> domain and join to the workgroup mode. If the old server doesn't quit the

> domain, and then the new server "hpprintcut" add to the domain with the

> same IP address of the old server, this may cause some potential problems

> afterwards.

>

> I don't want to push you, here is suggestion just for your reference,

> after

> that, please check if the issue will re-occur.

>

> I would like to suggest that you manully remove the old computer account

> "flexprintserver" in the "Active Directory Users and Computers" console

> and

> verify that the new computer account "hpprintcut" exists. In the DNS

> server, please check A record of the new server with the IP address exists

> and the A record of the old server is removed. If possible, please quit

> the

> new server from the domain and then make it rejoin the domain to build the

> security computer account automatically in the domain.

>

> Hope the issue will be resolved soon.

>

> Thanks for your time.

>

> David Shen

> Microsoft Online Partner Support

>

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Kerberos error event ID:4

 

Hello Adam,

 

Thanks for your reply.

 

Based on the research, here is some information which may be helpful for

you.

 

Analysis:

=========

 

When you remove a system by changing it from domain to workgroup. Does

that also remove the computer name as well out of AD?

 

No.

 

When we make the "Client A" quit Windows Server 2003 domain and join into

the workgroup mode, the Active Directory only makes the computer account

"Client A" disabled in the database, the computer account won't be removed

until the administrator remove it manually. The Active Directory will

preserve all the information of the computer account "Client A". Next time,

when we rejoin the original computer "Client A" into the domain, the Active

Directory will enable the computer account automatically.

After we disjoin the "Client A" from the domain, we can manually remove the

computer account in the Active Directory database, which means that the

Active Directory won't preserve all the information about the computer

account "Client A". In this way, the computer account "Client A" won't take

effect in the domain anymore. So, I suggest that you manually remove the

computer account after you make it join into workgroup mode if you don't

wish to make it join domain again.

 

Based on your previous description, it seems that the error message event

ID 4 doesn't appear anymore. Please monitor if the issue has been resolved.

 

Hope all the information will be helpful.

 

Thanks for your time.

 

David Shen

Microsoft Online Partner Support

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Kerberos error event ID:4

 

Hello Adam,

 

We wanted to see if the information provided was helpful. Please keep us

posted on your progress and let us know if you have any additional

questions or concerns.

 

We are looking forward to your response.

 

David Shen

Microsoft Online Partner Support

 Share
Go to topic listing
×
×
  • Create New...