Summary

The following error is reported to the Windows Event Viewer on one or more machines:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server.

Cause

In many cases, this error is caused by one of the following issues:

• Two identical Service Principal Names (SPNs) are registered in your Active Directory forest.

  Note: SPNs can be registered to both user and machine accounts.

• The Laserfiche Server's SPN is registered to the wrong account (i.e., it is not registered to the account the Laserfiche Server is currently running as).

Resolution

Review the error message reported by Kerberos to the Windows Event Viewer. In the error's description, identify either HTTP/myhost.example.com or LaserficheServer/myhost.example.com. In most cases, this is the SPN causing the error (note that the entire value in bold represents the SPN name).

If you are using Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, you can use the setspn command-line prompt to identify all of the accounts which this SPN has been assigned to. For example, setspn -T * -F -Q <SPNName>, where SPNName matches the SPN name listed in the error message. Each account that is returned will begin with CN=. Ensure that multiple accounts are not listed (which indicates the SPN is incorrectly assigned to multiple accounts) and that the SPN is assigned to the account the Laserfiche Server is currently running as.

To correct the issue, use the appropriate setspn commands to add and delete SPN account assignments, as necessary. For a list of setspn commands, enter setspn -help.

If you are not using one of the operating systems listed above, refer to Microsoft KB 321044 for alternative solutions.

More Information

• Kerberos Authentication problems - Service Principal Name (SPN) issues - Part 1
• Kerberos Authentication problems - Service Principal Name (SPN) issues - Part 2
• Kerberos Authentication problems - Service Principal Name (SPN) issues - Part 3
• Microsoft KB 321044