Fixing the Security-Kerberos / 4 error
While I was building my lab environment with the preview of System Center 2012 R2, I’ve encountered an interesting issue regarding the data warehouse behavior.
Basically, the issue I had was that my Data Warehouse jobs would fail to complete. At the same time, in the event viewer of my systems I had the following error message :
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SCSMDW.wsdemo.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smsvc. The target name used was MSOMSdkSvc/SCSMDW. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (WSDEMO.COM) is different from the client domain (WSDEMO.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
In my environment, smsvc is the service account that I’m using for Service Manager. However when I looked at my SPN settings, I had the following :
C:\Users\Administrator.WSDEMO>setspn -Q MSOMSdkSvc/SCSMDW
Checking domain DC=wsdemo,DC=com
CN=SCSMDW,CN=Computers,DC=wsdemo,DC=com
MSOMSdkSvc/SCSMDW
MSOMSdkSvc/SCSMDW.wsdemo.com
MSOMHSvc/SCSMDW
MSOMHSvc/SCSMDW.wsdemo.com
TERMSRV/SCSMDW
TERMSRV/SCSMDW.wsdemo.com
WSMAN/SCSMDW
WSMAN/SCSMDW.wsdemo.com
RestrictedKrbHost/SCSMDW
HOST/SCSMDW
RestrictedKrbHost/SCSMDW.wsdemo.com
HOST/SCSMDW.wsdemo.comExisting SPN found!
So the situation is that when the Kerberos client tries to validate the authentication, the information he gets from Active Directory are different than the ones that is in the ticket.
Solution applied:
To solve this issue, I took the following steps:
Unregister the bad service entry :
setspn –D MSOMSdkSvc/SCSMDW SCSMDW
Unregistering ServicePrincipalNames for CN=SCSMDW,CN=Computers,DC=wsdemo,DC=com
MSOMSdkSvc/SCSMDW
Updated objectRegister the service entry with the right information :
setspn -A MSOMSdkSvc/SCSMDW smsvc
Checking domain DC=wsdemo,DC=comRegistering ServicePrincipalNames for CN=smsvc,OU=ServiceAccounts,OU=demo,DC=wsd
emo,DC=com
MSOMSdkSvc/SCSMDW
Updated object
I’ve applied this operation for all the service entries that I have found with this error message. then I’ve restarted my servers to ensure that there was no entry in the cache allthough I think it is not necessary.
If you want to learn more about this error message, you can read the following article : https://support.microsoft.com/kb/811889 and this article that explains how the SPN should look like: https://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
You can download System Center 2012 R2 from this location: https://technet.microsoft.com/evalcenter/dn205295.aspx