Log Message: Kerberos client received a KRB_AP_ERR_MODIFIED error from the server

I was working on a client’s server the other day and I finally decided I would look at and resolve one of the more common error messages I see when I’m working on a remediation project:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server reception-win7$. The target name used was cifs/ceo-computer.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using.

The message evaded me for quite a long time – it seemed to indicate a mismatch in computer names, but I knew quite well both were properly joined to the domain. I wondered what would happen if I tried a basic operation on the target machine?

C:\System>dir \\ceo-computer\c$
Logon Failure: The target account name is incorrect.

Interesting – something was going on with the account for ceo-computer$ I wonder if the machine is online and resolves to an IP address?

C:\System>ping -n 1 ceo-computer
Pinging ceo-computer.domain.local [10.0.0.36] with 32 bytes of data:
Reply from 10.0.0.36: bytes=32 time<1ms TTL=128

Interesting – the machine is online. I wonder if they mean the computer account? A quick check would show me the NetBIOS machine name of that host:

C:\System>nbtstat -A 10.0.0.36

Local Area Connection:
Node IpAddress: [10.0.0.2] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
———————————————
RECEPTION-WIN7 <00> UNIQUE Registered
DOMAIN      <00> GROUP Registered
RECEPTION-WIN7 <20> UNIQUE Registered
DOMAIN      <1E> GROUP Registered

MAC Address = 00-0F-FB-F3-CF-73

And there we have it. When I issue the DIR command for the above UNC, it looks up the SPN for that machine and then looks the machine name up in DNS. The machine returned the IP address for a different computer, with the destination rejecting the connection because the login account for that computer was incorrect.

A quick check showed what I immediately suspected – DHCP was not updating DNS when an DHCP Renew request was processed and was using (very) old values. I fixed DHCP and checked later – viola! – the problem was resolved.

6 thoughts on “Log Message: Kerberos client received a KRB_AP_ERR_MODIFIED error from the server

  1. David Sornig

    Good morning,

    Thank you for taking the time to document t this issue.
    I am having this exact issue. When I follow your steps I get the exact results you get above. When you say you corrected DHCP what was it that you had to do to correct DHCP?

    Thanks,

    David

    Reply
  2. wpadmin Post author

    Hi Guys – I’ll make sure to elaborate on this article when I get a chance! When a DHCP client requests an address, the DHCP service can notify the DNS service that a device hostname has received an address, resulting in an A record creation.

    However, for most Windows PCs, the Dynamic Updates feature of AD should do this for you. First, check and make sure the company’s domain is set to allow Dynamic Updates in the DNS Console (Right-click the main domain zone – it’s right in the General tab).

    While probably less applicable to this article, some clients work outside of AD and still need DNS updates when they request a DHCP address. If this is you, follow these steps. Give your DNS settings a lookover in the DHCP console (open the DHCP Console, right-click IPv4 and select Properties – check the DNS tab). My go-to settings are to enable DNS dynamic updates for devices that request it (if requested by the client) and to delete a record when the lease is deleted.

    Under the advanced tab, you’ll want to enter credentials for the DHCP service to use when updating the DNS server. I typically create a “dhcp-dns-update” user to do this – no special permissions have been necessary in my experience. Remember, this shouldn’t be necessary if you’re allowing Dynamic Updates in DNS and you’re a domain-only network.

    It’s also good practice to turn on DNS scavenging. This cleans up older records that haven’t been touched in a while. A quick Google search should reveal much better write-ups than I can do here.

    Reply
  3. David Sornig

    Thank you for your reply. I cleaned up DHCP and DNS scavenging. Let it settle down over the weekend but never did the nbtstat return just one entry. It returns they same as yours does in the article. I assume it should only return one entry.

    Thanks you for your time,

    David

    Reply
  4. Darwin collins

    Regarding Samsam.exe cryptolocker ,

    my theory is that it uses psexesvc to deploy samsam.exe to the servers and workstations. However, the c and c needs to first capture the token or perhaps raw password of a privileged user such as domain admin. This is not difficult if domain admin accounts are not isolated/protected and/or delegation is enabled.

    Reply
    1. wpadmin Post author

      I wish I could have investigated this a bit further but that sounds pretty close to what I saw. Unfortunately, I wrote the article and played with the virus in a sandbox, then spend the next few days cleaning up the environment with our team.

      We suspect it came into their network on one of the system administrator’s computers which, combined with your theory, explains how and why it spread to the servers as fast as it did. Unfortunately for this customer, by the time they came to us, it was a complete rebuild.

      Reply

Leave a Reply to wpadmin Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>