MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Kerberos Errors caused by Host Headers

  Asked By: Daniel    Date: Jan 12    Category: MOSS    Views: 1606

I am having an issue with our MOSS 2007 medium web farm. We have two
WFT, 1 dedicated index server and a SQL cluster server (2005). We are
using WLBS and have one dedicated web server. I have validated our
setup with Microsoft SharePoint team but we are still seeing this error.

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 8/31/2009
Time: 1:09:04 PM
User: N/A
Computer: MSS1 (first node WFE)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/mss1. The target name used was cifs/mss2 (this is our second node
WFE). This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonly,
this is due to identically named machine accounts in the target realm
(domain), and the client realm. Please contact your system

I brought this to the attention of our network team but they are not
trying to take ownership. They are trying to say that SharePoint is
causing the error message and that there is not a network issue. I need
to make sure I have a full understanding of this issue. We are
currently using several host headers to allow users to enter a vanity
URL. All URLs point to the load balanced ip (xxx.xx.x.130) and not the
IP for the first node web server...xxx.xx.x.131

Right now we have several 'A' records in our DNS that all point to our
load balanced DNS record xxx.xx.x.130....basically for vanity purposes.
AGNIS is the entry for our main portal. Is this the best practice? How
is everyone else handling host headers in a load balanced environment.

Agnis Host (A) xxx.xx.x.130 static
agnis_ssp Host (A) xxx.xx.x.130 static
amsrecords Host (A) xxx.xx.x.130 static
amsrecords2 Host (A) xxx.xx.x.130 static
amsrecords_ssp Host (A) xxx.xx.x.130 static
myagnis Host (A) xxx.xx.x.130 static
rts Host (A) xxx.xx.x.130 static

As you can see from this message account is using cifs name for the
second node on the first node which will cause a problem since the name
is not the same as the Kerberos ticket. Are the DNS entries above
causing the problem. Our network administrator stated that he did not
find any duplicate SPN on our network.

My question is will the multiple host headers cause a problem. I did not
think so since they are only being used for vanity purposes and the
service ticket is hitting the server by server name and not by the host
header name.

Any advice you can provide or additional documentation. I have a
meeting with them to discuss this so any advice would be greatly



3 Answers Found

Answer #1    Answered By: Lorenzo Steele     Answered On: Jan 12

Are you guys using Windows 2008? If so, there's a very easy way to find out
duplicate SPN's in your environment.

Windows Server 2008 way to find duplicate SPN's:
setspn -x

Windows 2003:
Replace the following with your environments details:

1.Click "Start"2.Click "Run"3.Type "CMD"4.Type "CD \"5.Type the following:
ldifde -s <GC_Server_Name> -f c:\<My_SPN_Dump_File>.txt -d "" -r
"(serviceprincipalname=host/<Machine_Name>)" -p subtree -t 3268 -l

Answer #2    Answered By: Divakar Naik     Answered On: Jan 12

No we are using Windows 2003............

Answer #3    Answered By: Marcus Davis     Answered On: Jan 12

check for time synch issues............

Didn't find what you were looking for? Find more on Kerberos Errors caused by Host Headers Or get search suggestion and latest updates.