Kerberos Error - Event ID 4

[Ken Rappold]

The error below occurs periodically on 5 new XP clients. I have not seen
any errors in the log files for the DC's. I haven't been able to find
information about this error. I've verified the computer names, no
duplicates exist.

Type: Error
Source: Kerberos
Event ID: 4
Event Time: 8/5/2004 2:43:28 PM
User: n/a
Computer: CLIENT100
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server CLIENT130$. This indicates that the password used to encrypt the
kerberos service ticket
is different than that on the target server. Commonly, this is due to
identically named
machine accounts in the target realm (COMPANY.COM), and the client realm.
Please contact your system administrator.

 

[Steven L Umbach]

I have not seen that myself. It may help to run netdiag on those computers looking
for failed tests such as kerberos, dns, dcdiscovery, secure channel, etc.

Http://www.eventid.net is always a good place to lookup information on such errors
and usually there is feedback from others that have experienced the error and their
solution. The link below is from there and discusses removing the computer from the
domain, deleting the domain account, and rejoining the domain [possibly with a
different computer name] as a possible fix. It may be a good idea to check your AD
replication also in case computer password has changed but authentication domain
controller has not received the change. Replmon and gpotool from the free support
tools can help with that. --- Steve

http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1

 

[Ken Rappold]

I have done the following:
I checked replication and passwords, no errors. I removed and renamed
CLIENT130 in the domain. This removed the event error from indicating
CLIENT130 was the culprit, now the error indicates computer CLIENT190 is the
culprit.
I ran netdiag /q on CLIENT100 and received the following:
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
There is information in the Windows 2000 resource kit:
Missing Name Errors
The following are missing name errors along with suggestions on how to
resolve them:

a.. If the computer name <00> is the only name missing, this is most
likely the same case as for duplicate name. Check Event Viewer for
redirector errors or rename the computer.
b.. If logon server name <03> are missing (the computer and logon names),
the Messenger Service is probably not running. Check Event Viewer for error
messages, and try typing net start messenger at the command prompt.
c.. If the server name <20> is missing in conjunction with the computer
name <00>, it is probably the result of a name conflict. Check Event Viewer
to make sure. Then rename your computer.
I have removed and renamed CLIENT100, and am still receiving the error in
the event log: "The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server CLIENT190$..."
Netdiag /q on client500 (renamed from CLIENT100) indicates:
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

What else to try? Continue renaming the offending computer accounts until
the error goes away?