Kerberos error event ID:4

Adam Raff · 10-04-2008

Good Day,

We have a computer Windows XP SP2 that I just put onto our network which
replaces an older computer. The old computer name was flexprintserver and
the new computer is called hpprintcut.

I created hpprintcut about three weeks ago and added it to domain (Windows
2003 SP1). Yesterday I replaced the systems, turned off the old system
removed it from the network and then put the new one in the same location
and turned it on. I have not seen any errors in the new computers event
logs but noticed the following errors on our servers which are both DC's.
Since the other computer is not even plugged in I am confused on what it's
saying as these two names are totally different as can be. If anybody has
any ideas on this matter it would be a great help.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/9/2008
Time: 11:16:34 PM
User: N/A
Computer: Server
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
FLEXPRINTSERVER$. The target name used was cifs/hpprintcut.hspop.net. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (Company.NET), and
the client realm. Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks
Adam Raff

David Shen [MSFT] · 11-04-2008

Dear Customer,

Thank you for posting in newsgroup.

According to the description, you have encountered the Kerberos error
(Event ID 4) on both of the DCs after you replaced the old computer
"flexprintserver" with the new computer "hpprintcut" in the domain. If I
have any misunderstanding, please feel free to let me know.

For troubleshooting this error, I would like to confirm some information
with you firstly.

Information Needed:
======================

1. Did you make the old computer "flexprinterserver" normally quit the
Windows 2003 domain?

2. Does the new computer and the old computer hold the same IP address?

Analysis:
================

This event will occur if you present a service ticket to a principal
(target computer) which cannot be decrypted by the target. The service
ticket is encrypted using the shared secret of the machine account's
password as a seed for the resulting encryption used on the service ticket.
This ensures that only the KDCs (DCs) and the target principal can decrypt
the ticket. The client presents encrypted ticket it received from the KDC
to the target server. If the server can decrypt the ticket, the server then
knows that it was encrypted by a trusted source (the DC) and the presenter
(the client) is also trusted. If shared secret (machine account password)
used to encrypt the ticket is different between the KDC and the target
machine, the ticket cannot be decrypted and the failure occurs.

Suggestions:
=============

1. Please launch "Active Directory Users and Computers" on the domain
controller, expand the domain and in the container of "Computer", please
ensure old computer account "flexprintserver" has been removed and the new
computer account "hpprintcut" exists.

2. Please verify that IP address of the new computer exists in the DNS
Server and the IP address is correctly pointed to the new server. You may
run "ipconfig /flushdns" to flush the DNS cache and then run "ipconfig
/registerdns" on the new computer "hpprintcut" to manually register the DNS
record.

3. Please verify that the IP address of the old computer "flexprintserver"
has been removed in the DNS Server; in addition, please ensure that no
"flexprintserver" A or Alias records exist in DNS.

4. Please also perform check in WINS to ensure that no "Flexprintserver"
records exist.

5. Please check if the issue re-occurs, if possible, you may make the new
computer re-join the Windows 2003 domain.

6. I would like to suggest that you install and apply the service pack 2
for Windows Server 2003 on all the domain controllers.

Reference:
============

How to obtain the latest service pack for Windows Server 2003
http://support.microsoft.com/kb/889100

Hope all the information will be helpful.

I look forward to your reply and thank you for your time.

David Shen
Microsoft Online Partner Support

Adam Raff · 11-04-2008

1: What do you mean by normally quit. I just shut down the computer.

2: Yes they had the same IP address

Please see below with your following info

Suggestions:
1: Not Yet
2:Did this already and ran ipconfig on new system HPprintcut
3:Did this as well
4:I looked in Wins but did not see any IP or name listed
5:Next option if I have to
6: I am working on that as we write hope to have it done in two months

"David Shen [MSFT]" <v-dashen@online.microsoft.com> wrote in message
news:nL5FEn5mIHA.4932@TK2MSFTNGHUB02.phx.gbl...
> Dear Customer,
>
> Thank you for posting in newsgroup.
>
> According to the description, you have encountered the Kerberos error
> (Event ID 4) on both of the DCs after you replaced the old computer
> "flexprintserver" with the new computer "hpprintcut" in the domain. If I
> have any misunderstanding, please feel free to let me know.
>
> For troubleshooting this error, I would like to confirm some information
> with you firstly.
>
> Information Needed:
> ======================
>
> 1. Did you make the old computer "flexprinterserver" normally quit the
> Windows 2003 domain?
>
> 2. Does the new computer and the old computer hold the same IP address?
>
> Analysis:
> ================
>
> This event will occur if you present a service ticket to a principal
> (target computer) which cannot be decrypted by the target. The service
> ticket is encrypted using the shared secret of the machine account's
> password as a seed for the resulting encryption used on the service
> ticket.
> This ensures that only the KDCs (DCs) and the target principal can decrypt
> the ticket. The client presents encrypted ticket it received from the KDC
> to the target server. If the server can decrypt the ticket, the server
> then
> knows that it was encrypted by a trusted source (the DC) and the presenter
> (the client) is also trusted. If shared secret (machine account password)
> used to encrypt the ticket is different between the KDC and the target
> machine, the ticket cannot be decrypted and the failure occurs.
>
> Suggestions:
> =============
>
> 1. Please launch "Active Directory Users and Computers" on the domain
> controller, expand the domain and in the container of "Computer", please
> ensure old computer account "flexprintserver" has been removed and the new
> computer account "hpprintcut" exists.

>
> 2. Please verify that IP address of the new computer exists in the DNS
> Server and the IP address is correctly pointed to the new server. You may
> run "ipconfig /flushdns" to flush the DNS cache and then run "ipconfig
> /registerdns" on the new computer "hpprintcut" to manually register the
> DNS
> record.

>
> 3. Please verify that the IP address of the old computer "flexprintserver"
> has been removed in the DNS Server; in addition, please ensure that no
> "flexprintserver" A or Alias records exist in DNS.
>
> 4. Please also perform check in WINS to ensure that no "Flexprintserver"
> records exist.
>
> 5. Please check if the issue re-occurs, if possible, you may make the new
> computer re-join the Windows 2003 domain.
>
> 6. I would like to suggest that you install and apply the service pack 2
> for Windows Server 2003 on all the domain controllers.
>
> Reference:
> ============
>
> How to obtain the latest service pack for Windows Server 2003
> http://support.microsoft.com/kb/889100
>
> Hope all the information will be helpful.
>
> I look forward to your reply and thank you for your time.
>
> David Shen
> Microsoft Online Partner Support
>

David Shen [MSFT] · 14-04-2008

Dear Customer,

Thanks for your feedback.

For your concern, here is some information which may be helpful for you.

Analysis and Suggestion:
======================

I meant that the member server "flexprinterserver" quit the Windows 2003
domain and join to the workgroup mode. If the old server doesn't quit the
domain, and then the new server "hpprintcut" add to the domain with the
same IP address of the old server, this may cause some potential problems
afterwards.

I don't want to push you, here is suggestion just for your reference, after
that, please check if the issue will re-occur.

I would like to suggest that you manully remove the old computer account
"flexprintserver" in the "Active Directory Users and Computers" console and
verify that the new computer account "hpprintcut" exists. In the DNS
server, please check A record of the new server with the IP address exists
and the A record of the old server is removed. If possible, please quit the
new server from the domain and then make it rejoin the domain to build the
security computer account automatically in the domain.

Hope the issue will be resolved soon.

Thanks for your time.

David Shen
Microsoft Online Partner Support

Adam Raff · 14-04-2008

Hi David,

Thanks for your help,

After going through there records in DNS I found some old stuff that
refereed back to the old computer. I deleted them from both DNS servers and
disabled the old account for now. I will deleted it once everything checks
out. I like to be able to put the old system back on even if I give it a
new address such as DHCP if we need something off of the system.

When you remove a system by changing it from Domain to workgroup. Does that
also remove the computer name as well out of AD? Is there any difference
between doing it that way or just deleting it when you are done?

Otherwise as of this morning when we turned the system on I have not seen
any errors. I am still waiting to see if we get some later today.

Thanks for your help.
Adam Raff

"David Shen [MSFT]" <v-dashen@online.microsoft.com> wrote in message
news:uLhYSghnIHA.4932@TK2MSFTNGHUB02.phx.gbl...
> Dear Customer,
>
> Thanks for your feedback.
>
> For your concern, here is some information which may be helpful for you.
>
> Analysis and Suggestion:
> ======================
>
> I meant that the member server "flexprinterserver" quit the Windows 2003
> domain and join to the workgroup mode. If the old server doesn't quit the
> domain, and then the new server "hpprintcut" add to the domain with the
> same IP address of the old server, this may cause some potential problems
> afterwards.
>
> I don't want to push you, here is suggestion just for your reference,
> after
> that, please check if the issue will re-occur.
>
> I would like to suggest that you manully remove the old computer account
> "flexprintserver" in the "Active Directory Users and Computers" console
> and
> verify that the new computer account "hpprintcut" exists. In the DNS
> server, please check A record of the new server with the IP address exists
> and the A record of the old server is removed. If possible, please quit
> the
> new server from the domain and then make it rejoin the domain to build the
> security computer account automatically in the domain.
>
> Hope the issue will be resolved soon.
>
> Thanks for your time.
>
> David Shen
> Microsoft Online Partner Support
>

David Shen [MSFT] · 15-04-2008

Hello Adam,

Thanks for your reply.

Based on the research, here is some information which may be helpful for
you.

Analysis:
=========

When you remove a system by changing it from domain to workgroup. Does
that also remove the computer name as well out of AD?

No.

When we make the "Client A" quit Windows Server 2003 domain and join into
the workgroup mode, the Active Directory only makes the computer account
"Client A" disabled in the database, the computer account won't be removed
until the administrator remove it manually. The Active Directory will
preserve all the information of the computer account "Client A". Next time,
when we rejoin the original computer "Client A" into the domain, the Active
Directory will enable the computer account automatically.
After we disjoin the "Client A" from the domain, we can manually remove the
computer account in the Active Directory database, which means that the
Active Directory won't preserve all the information about the computer
account "Client A". In this way, the computer account "Client A" won't take
effect in the domain anymore. So, I suggest that you manually remove the
computer account after you make it join into workgroup mode if you don't
wish to make it join domain again.

Based on your previous description, it seems that the error message event
ID 4 doesn't appear anymore. Please monitor if the issue has been resolved.

Hope all the information will be helpful.

Thanks for your time.

David Shen
Microsoft Online Partner Support

David Shen [MSFT] · 18-04-2008

Hello Adam,

We wanted to see if the information provided was helpful. Please keep us
posted on your progress and let us know if you have any additional
questions or concerns.

We are looking forward to your response.

David Shen
Microsoft Online Partner Support