Active Directory SPN Mappings and Kerberos

I had an interesting customer problem today where Kerberos was being attempted for a service principal name (SPN) which simply didn’t exist in Active Directory. This was causing the applications (Exchange) involved to fail as they couldn’t authenticate to one another. The client machine involved was logging numerous errors similar to the following indicating that it was presenting a service ticket encrypted by another machine to the server in question. Log Name:      System Source:        Microsoft-Windows-Security-Kerberos Date:          12/6/2010 2:03:11 PM Event ID:      4 Level:         Error Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server01$. The target name used … Continue reading Active Directory SPN Mappings and Kerberos