KRB_AP_ERR_MODIFIED是一种常见的 Kerberos 认证失败消息。意思是在服务器上客户端发送加密的 Kerberos 身份验证数据没有被正确解密。当 Kerberos客户端为某服务请求票据时,通过SPN标识该服务,KDC授予客户端通过服务密钥加密的服务票据。通常情况下是与SPN匹配的AD帐户的密码。
- 重复的SPN
- 错误的DNS设置
- 不同的域中的两台计算机具有相同名称
- 客户端请求了错误的SPN
- IIS(内核/用户模式身份验证)设置错误
- 注册表
- KList (Windows2008及以上自带)
- ipconfig
- Network Monitor
- 在客户端计算机上启用 Kerberos日志。如何启用 Kerberos 事件日志记录
- 用管理员权限打开命令控制台,运行"klist purge"清除缓存的Kerberos票据。
- 运行"ipconfig /flushdns"要清除DNS缓存。
- 客户端和web服务器上的运行Network Monitor。
- 重现该问题。
- Network Monitor抓包
- Http: Response, HTTP/1.1, Status: Unauthorized, URL: / , Using GSS-API Authentication ProtocolVersion: HTTP/1.1 StatusCode: 401, Unauthorized Reason: Unauthorized … - WWWAuthenticate: Negotiate … - Authenticate: Negotiate oWwwaqADCgEBomMEYWBfBgkqhkiG9xIBAgIDAH5QME6gAwIBBaEDAgEepBEYDzIwMTExMDE0MDUxMDE0WqUFAgMG362mAwIBKakKGwhURVN ULkNPTaoXMBWgAwIBAaEOMAwbCmNvbnRvc29zdmM= WhiteSpace: - NegotiateAuthorization: Scheme: Negotiate - GssAPI: 0x1 - NegotiationToken: - ChoiceTag: - NegTokenResp: - ResponseToken: 0x1 - KerberosToken: 0x1 - KerberosInitToken: … - InnerContextToken: 0x1 - KerberosToken: 0x1 TokId: Krb5Error (0x300) - Error: KRB_ERROR (30) …. + ErrorCode: KRB_AP_ERR_MODIFIED (41) + Realm: TEST.COM + Sname: contososvc Date: Fri, 14 Oct 2011 05:10:14 GMT ContentLength: 341
Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 10/13/2011 10:10:05 PM Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: IIS02.test.com Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server contososvc. The target name used was HTTP/iis01.test.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (TEST.COM) is different from the client domain (TEST.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
第一种情况:重复的 SPN
Windows 2008及以上版本的系统,本身提供setspn可以用来检测重复SPN。
以下是setspn的关于Windows Server 2008 SP2提供示例输出。
Windows 2003 和 XP,我们可以使用ldifde工具搜索重复SPN。以下是HTTP/contoso的示例。
Ldifde -s GCName -t 3268 -f d:\spn.ldf -d "dc=test, dc=com" –l ServicePrincipleName –r "(ServicePrincipalName=HTTP/contoso)"
Ldifde -s GCName -t 3268 –f d:\spn.ldf -d "dc=test, dc=com" -l servicePrincipalName -r (servicePrincipalName=*contoso*)
例如,DNS 设置如下所示:
Contoso CNAME iis01.test.com
iis01.test.com A
使用IE浏览器访问 Web 站点时,IE浏览器使用服务器的主机名(IIS01)而不是CNAME(Contoso)与服务器联系。身份验证可能会失败,报错KRB_AP_ERR_MODIFIED。
HTTP/Contoso.test.com test\contososvc
HOST/IIS01.test.com test\iis01(machine account)
Network Monitor跟踪失败请求
IE 发送请求到http://contoso,发送contoso的DNS查询。
+ Ipv4: Src =, Dest =, Next Protocol = UDP, Packet ID = 9717, Total IP Length = 62 + Udp: SrcPort = 64506, DstPort = DNS(53), Length = 42 - Dns: QueryId = 0x4BB1, QUERY (Standard query), Query for contoso.test.com of type Host Addr on class Internet
+ Ipv4: Src =, Dest =, Next Protocol = UDP, Packet ID = 6526, Total IP Length = 98 + Udp: SrcPort = DNS(53), DstPort = 64506, Length = 78 - Dns: QueryId = 0x4BB1, QUERY (Standard query), Response - Success, 49, 0 QueryIdentifier: 19377 (0x4BB1) … - ARecord: contoso.test.com of type CNAME on class Internet: iis01.test.com - ARecord: iis01.test.com of type Host Addr on class Internet: …
+ Ipv4: Src =, Dest =, Next Protocol = TCP, Packet ID = 9728, Total IP Length = 0 + Tcp: Flags=...AP..., SrcPort=50044, DstPort=Kerberos(88), PayloadLen=1488, Seq=4106960882 - 4106962370, Ack=354586390, Win=513 (scale factor 0x8) = 131328 - Kerberos: TGS Request Realm: TEST.COM Sname: HTTP/iis01.test.com …
- 如果客户端是 IE, KB911149描述了此问题的解决方案。
- 如果客户端应用程序中使用System.Net.HttpWebRequest,需要使用CustomTargetNameDictionary.AuthenticationManager.CustomTargetNameDictionary
- DNS 服务器端,配置IIS服务器到主机记录(A),不要配制Alias(CNAME)。
第三种情况:SPN设置为错误帐户(IIS 7身份验证设置错误)
IIS 7.0默认情况下启用内核模式身份验证。内核模式身份验证机无论哪个帐户用来运行该应用程序池帐户下运行。机器帐户用于解密的Kerberos票据。
但是有些情况下,需要域帐户而不是主机账户作为解密账户。例如启用了Web Farm。对于这种情况,您可以通过设置useAppPoolCredentials="true"配置IIS以使用Web应用程序池标识进行身份验证,而不用禁用内核模式身份验证。
IIS 7,我们有三种Windows身份验证配置。不同情况需要SPN注册在不同帐户上。如果注册不当,则可能导致身份验证失败,从而报错KRB_AP_ERR_MODIFIED。
- 禁用内核模式身份验证
- 启用了内核模式身份验证 useAppPoolCredentials
- 启用内核模式身份验证
注:机器帐户包括所有在网络中代表本机的账户,包括Network Service, Local System, Local Service and ApplicationPoolIdentity for IIS7。服务帐户代表应用程序池标识使用的域帐户。
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
False(default) |
Application Pool Identity |
Service Account like (domain\contosoService) |
Web Site Binding To |
IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
HTTP/ SPN registered on service account |
Comments |
For this scenario, the Kerberos ticket is encrypted by service account, and is decrypted by IIS server’s computer account. |
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
False(default) |
Application Pool Identity |
Service Account like (domain\contosoService) |
Web Site Binding To |
A customized host header. Access like this way: http(s)://Contoso
HTTP/ SPN registered on service account |
Comments |
For this scenario, the Kerberos ticket is encrypted by service account, and decrypted by IIS server’s computer account. |
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
True |
Application Pool Identity |
Service Account like (domain\contosoService) |
Web Site Binding To |
IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
HTTP/ IIS_Server_NetBIOS_Name doesn’t registered on any account Or, registered on IIS server’s computer account |
Comments |
For this scenario, the Kerberos ticket is encrypted by IIS server’s computer account, and decrypted by service account. |
SPN,IIS 配制参考
配制 1
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
False(default) |
Application Pool Identity |
No Matter |
URL used to access web site |
http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
SPN requirement |
No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. |
Comments |
This is the default scenario for IIS 7+ when using IIS server’s computer name to access the web application. |
配制 2
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
False(default) |
Application Pool Identity |
No Matter |
URL used to access web site |
http(s)://Customer_Host_Name |
SPN requirement |
Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS |
Comments |
Some application requires this when they need special permission for application pool identity. |
配制 3
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
True |
Application Pool Identity |
Service Account like (domain\contosoService) |
URL used to access web site |
http(s)://Customer_Host_Name |
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService |
Comments |
配制 4
Kernel Mode Authentication |
Enabled(default) |
useAppPoolCredentials |
True |
Application Pool Identity |
Service Account like (domain\contosoService) |
URL used to access web site |
http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN |
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/IIS_SERVER_FQDN domain\contosoService |
Comments |
You need select this scenario if you want web site binding to IIS server’s computer name and running the site with a domain account. |
配制 5
Kernel Mode Authentication |
Disabled |
useAppPoolCredentials |
No Matter |
Application Pool Identity |
Service Account like (domain\contosoService) |
URL used to access web site |
http(s)://Customer_Host_Name |
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService |
Comments |
This is same for IIS 6 scenario. |
配制 6
Kernel Mode Authentication |
Disabled |
useAppPoolCredentials |
No Matter |
Application Pool Identity |
Service Account like (domain\contosoService) |
URL used to access web site |
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/ IIS_SERVER_NetBIOS_NAMEdomain\contosoService |
Comments |
This is same for IIS 6 scenario. |
配制 7
Kernel Mode Authentication |
Disabled |
useAppPoolCredentials |
No Matter |
Application Pool Identity |
Machine Account |
URL used to access web site |
http(s)://Customer_Host_Name |
SPN requirement |
Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS |
Comments |
This is same for IIS 6 scenario. |
配制 8
Kernel Mode Authentication |
Disabled |
useAppPoolCredentials |
No Matter |
Application Pool Identity |
Machine Account |
URL used to access web site |
SPN requirement |
No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. |
Comments |
This is similar to the default scenario of IIS 6. |