KERBEROS error 4
A few days ago one of my clients asked me to migrate ISA services from his old hardware to a brand new HP server.
Easy...;)
I joined the new server to the domain, duplicated network configurations (while disconnected, of course), copied hosts file, XML export-import ISA settings, disabled unnecessary services...etc.
At the end I removed the old box with the new one and connected it to the company network.
We tested inbound and outbound rules and everything worked fine.
Except...one of the domain controller (PDC emulator) started to report this event into its System log, every now and then:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/isa.company.com. The target name used was HTTP/firewall.company.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (COMPANY.COM), and the client realm. Please contact your system administrator.
Reason:
The new server had a different name (ISA) than the old one (FIREWALL).
Solution:
I deleted A record "firewall" from the company DNS zone and the error disappeared.
Advice:
I prefer to use DNS CNAME "proxy" that points to the real name of company's ISA server. In the previous example nothing had to be changed on client machines, because they were already configured with "proxy.company.com" string in proxy settings on their internet browers (through group policy).