Kerberos issues after new server of same name joined to domain
- by MentalBlock
Environment: Windows Server 2012, 2 Domain Controllers, 1 domain.
A server called Sharepoint1 was joined to the domain (running
Sharepoint 2013 using NTLM).
The fresh install for Sharepoint1 (OS and Sharepoint) is performed
and set up for Kerberos and joined to the domain using the same name.
Two SPNs added for HTTP/sharepoint1 and
HTTP/sharepoint1.somedomain.net for account SPFarm.
Active Directory shows a single, non-duplicate computer account with a create date of the first server and a modify date of the second server creation.
A separate server also on the domain has the server added to All
Servers in Server Manager. This server shows a local error in the
events exactly like This from Technet (Kerberos error 4 -
KRB_AP_ERR_MODIFIED).
Question:
Can someone help me understand if the problem is:
The computer account is still the old account and causing a Kerberos
ticket mismatch (granted some housekeeping in AD might have prevented
this)
(In my limited understanding of Kerberos and SPNs) that the SPFarm
account used for the SPNs is somehow mismatched with HTTP calls made
by the remote server management tools services in Windows Server 2012
Something completely different?
I am leaning towards the first one, since I tested the same SPNs on another server and it didn't seem to cause the same issue. If this is the case, can it be easily and safely repaired? Is there a proper way to either reset the account or better yet, delete and re-add the account? Although it sounds simple enough with some powershell or clicking around in AD Users and Computers, I am uncertain what impact this might have on an existing server, particularly one running SharePoint. What is the safest and simplest way to proceed?
Thanks!