Remote Server Manager Kerberos Error

Just set up a new WS2012 Enterprise CA. Server Manager run on the new CA works normally against local and remote WS2012 servers. But when I add the server to other servers' Server Manager, "All Servers" displays "Kerberos security error" and this event is logged:

Log Name:      Microsoft-Windows-ServerManager-MultiMachine/Operational
Source:        Microsoft-Windows-ServerManager-MultiMachine
Date:          7/27/2015 9:34:09 AM
Event ID:      216
Task Category: Node access.
Level:         Error
Keywords:      
User:          DOMAIN\Username
Computer:      LOCALCOMPUTER.DOMAIN.local
Description:
Invoke method error. Server: REMOTECOMPUTER.DOMAIN.local, Namespace: root\microsoft\windows\servermanager, Class: MSFT_ServerManagerTasks, Method: GetServerInventory, Error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.

All servers are in the same domain, I'm logged on as a Domain Admin, no SPNs have been manually added or deleted. Also tried with the firewall (just Windows firewall) turned off. I don't find any auth errors in the Security log on either the problem machine or the remote machines.

SETSPN -L run on the problem server returns this, which looks normal to me:

C:\Windows\system32>SETSPN -L COMPUTERNAME
Registered ServicePrincipalNames for CN=COMPUTERNAME,OU=OUName,OU=OUName,DC=DOMAIN,DC=local:
        WSMAN/COMPUTERNAME.DOMAIN.local
        TERMSRV/COMPUTERNAME.DOMAIN.local
        RestrictedKrbHost/COMPUTERNAME.DOMAIN.local
        HOST/COMPUTERNAME.DOMAIN.local
        WSMAN/COMPUTERNAME
        TERMSRV/COMPUTERNAME
        RestrictedKrbHost/COMPUTERNAME
        HOST/COMPUTERNAME


Ideas?

[edit]

Found this relevant Event in the System log of the remote Server Manager trying to connect to the problem server:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          7/27/2015 2:33:36 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER.DOMAIN.local
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server REMOTECOMPUTER$. The target name used was HTTP/REMOTECOMPUTER.DOMAIN.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
...but I don't know what I need to do about it.

There are no duplicate DNS entries, no duplicate computer entries in AD, no user accounts with the same name, no clustering, all users and computers are in the same domain and forest.

  • Edited by JRVCr Monday, July 27, 2015 8:22 PM
July 27th, 2015 3:43pm

Hi,

Please run Setspn -x to check whether there are any duplicate SPNs.

Setspn

https://technet.microsoft.com/en-us/library/cc731241.aspx

If Domain Controllers in the domain were migrated from Windows Server 2003 to Windows Sever 2012 R2, Kerberos event IDs 4 would occur after machine password change, please refer to this blog below to find out the cause and download the hotfix.

It turns out that weird things can happen when you mix Windows Server 2003 and Windows Server 2012 R2 domain controllers

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

Best Regards,

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 8:15am

Hi Amy, thanks for your reply.

SETSPN -X showed 0 duplicates.

The domain was upgraded, and I think it was from WS2003 (before my time here). But there have been no 2003 DCs here for nearly 2 years. I've seen that error on another site that has a WS2008 R2 DC and a WS2003 DC, but that SPECIFIC error does not occur here. The SPN in the Kerberos Event 4 here was "HTTP/REMOTECOMPUTER.DOMAIN.local." The SPN in the blog was "host/myserver.domain.com". Could be the same root cause, I guess, but definitely 2 different SPNs.

Further, the problem machine was just set up about a week ago, and should not even have changed its computer password yet. I've read that some people have solved this by unjoining/rejoining the computer to the domain. But the problem server is an Enterprise CA, and you're not supposed to change domain membership after installing the CA role. I don't know if that means I can't unjoin & rejoin the same domain, however. I may need to ask this in the Security forum; but do you happen to know?

[Edit]

This appears to be a way to disjoin/rejoin an Enterprise CA to a domain:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/fd5effbb-38fe-4557-80af-edaffe2b4625/the-kerberos-client-received-a-krbaperrmodified-error-on-enterprise-certification-authority?forum=winserversecurity


Please advise.
  • Edited by JRVCr 15 hours 28 minutes ago
July 29th, 2015 10:08am

Hi Amy, thanks for your reply.

SETSPN -X showed 0 duplicates.

The domain was upgraded, and I think it was from WS2003 (before my time here). But there have been no 2003 DCs here for nearly 2 years. I've seen that error on another site that has a WS2008 R2 DC and a WS2003 DC, but that SPECIFIC error does not occur here. The SPN in the Kerberos Event 4 here was "HTTP/REMOTECOMPUTER.DOMAIN.local." The SPN in the blog was "host/myserver.domain.com". Could be the same root cause, I guess, but definitely 2 different SPNs.

Further, the problem machine was just set up about a week ago, and should not even have changed its computer password yet. I've read that some people have solved this by unjoining/rejoining the computer to the domain. But the problem server is an Enterprise CA, and you're not supposed to change domain membership after installing the CA role. I don't know if that means I can't unjoin & rejoin the same domain, however. I may need to ask this in the Security forum; but do you happen to know?

[Edit]

This appears to be a way to disjoin/rejoin an Enterprise CA to a domain:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/fd5effbb-38fe-4557-80af-edaffe2b4625/the-kerberos-client-received-a-krbaperrmodified-error-on-enterprise-certification-authority?forum=winserversecurity


Please advise.
  • Edited by JRVCr Wednesday, July 29, 2015 3:34 PM
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 2:01pm

Hi,

But the problem server is an Enterprise CA, and you're not supposed to change domain membership after installing the CA role. I don't know if that means I can't unjoin & rejoin the same domain, however. I may need to ask this in the Security forum; but do you happen to know?

As you mentioned, we cannot change Enterprise CAs domain membership and its computer name without uninstalling certificate services.

Please check this screenshot below, the Change button is grayed out, which means we cannot unjoin the machine.

Before you try steps from the thread you have mentioned above, I suggest you reset secure channel between domain (PDC) and the CA, since I have seen several similar issues were resolved by it.

On a Domain Controller, please run:

Netdom reset /d:domainname machinename

More information for you:

Netdom reset

https://technet.microsoft.com/en-us/library/cc788073.aspx?f=255&MSPPError=-2147217396

Kerberos Event ID 4 (KRB_AP_ERR_Modified)

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f8a93cde-f1de-47b6-b85a-781c795825f7/kerberos-event-id-4-krbaperrmodified?forum=winserverDS

The Kerberos client received a KRB_AP_ERR_MODIFIED error

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1712db04-0dd3-4f94-9f7c-a28daf9382c9/the-kerberos-client-received-a-krbaperrmodified-error?forum=winserverDS

Best Regards,

Amy

July 29th, 2015 10:37pm

Hi,

NETDOM completed without errors, but the problem is unchanged.

Well, I have no more idea at the moment, you may try the method from the thread you have mentioned above.

In addition, you may backup the server before you try the suggestion, in case something goes wrong.

Best Regards,                   

Amy

Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2015 10:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics