Kerberos issues after new server of same name joined to domain

Posted by MentalBlock on Server Fault See other posts from Server Fault or by MentalBlock
Published on 2012-11-03T01:04:11Z Indexed on 2012/11/27 11:07 UTC
Read the original article Hit count: 213

Environment: Windows Server 2012, 2 Domain Controllers, 1 domain.

  • A server called Sharepoint1 was joined to the domain (running Sharepoint 2013 using NTLM).
  • The fresh install for Sharepoint1 (OS and Sharepoint) is performed and set up for Kerberos and joined to the domain using the same name. Two SPNs added for HTTP/sharepoint1 and HTTP/sharepoint1.somedomain.net for account SPFarm.
  • Active Directory shows a single, non-duplicate computer account with a create date of the first server and a modify date of the second server creation.
  • A separate server also on the domain has the server added to All Servers in Server Manager. This server shows a local error in the events exactly like This from Technet (Kerberos error 4 - KRB_AP_ERR_MODIFIED).

Question:

Can someone help me understand if the problem is:

  • The computer account is still the old account and causing a Kerberos ticket mismatch (granted some housekeeping in AD might have prevented this)
  • (In my limited understanding of Kerberos and SPNs) that the SPFarm account used for the SPNs is somehow mismatched with HTTP calls made by the remote server management tools services in Windows Server 2012
  • Something completely different?

I am leaning towards the first one, since I tested the same SPNs on another server and it didn't seem to cause the same issue. If this is the case, can it be easily and safely repaired? Is there a proper way to either reset the account or better yet, delete and re-add the account? Although it sounds simple enough with some powershell or clicking around in AD Users and Computers, I am uncertain what impact this might have on an existing server, particularly one running SharePoint. What is the safest and simplest way to proceed?

Thanks!

© Server Fault or respective owner

Related posts about active-directory

Related posts about sharepoint