Fixing the Security-Kerberos / 4 error

While I was building my lab environment with the preview of System Center 2012 R2, I’ve encountered an interesting issue regarding the data warehouse behavior.

Basically, the issue I had was that my Data Warehouse jobs would fail to complete. At the same time, in the event viewer of my systems I had the following error message :

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smsvc. The target name used was MSOMSdkSvc/SCSMDW. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (WSDEMO.COM) is different from the client domain (WSDEMO.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In my environment, smsvc is the service account that I’m using for Service Manager. However when I looked at my SPN settings, I had the following :

C:\Users\Administrator.WSDEMO>setspn -Q MSOMSdkSvc/SCSMDW
Checking domain DC=wsdemo,DC=com

Existing SPN found!

So the situation is that when the Kerberos client tries to validate the authentication, the information he gets from Active Directory are different than the ones that is in the ticket.

Solution applied:

To solve this issue, I took the following steps:

  1. Unregister the bad service entry :
    setspn –D MSOMSdkSvc/SCSMDW SCSMDW
    Unregistering ServicePrincipalNames for CN=SCSMDW,CN=Computers,DC=wsdemo,DC=com
    Updated object
  2. Register the service entry with the right information :
    setspn -A MSOMSdkSvc/SCSMDW smsvc
    Checking domain DC=wsdemo,DC=com
  3. Registering ServicePrincipalNames for CN=smsvc,OU=ServiceAccounts,OU=demo,DC=wsd
    Updated object

I’ve applied this operation for all the service entries that I have found with this error message. then I’ve restarted my servers to ensure that there was no entry in the cache allthough I think it is not necessary.

If you want to learn more about this error message, you can read the following article : and this article that explains how the SPN should look like: 

You can download System Center 2012 R2 from this location:

Comments (0)