Kerberos troubleshooting guide
KRB_AP_ERR_MODIFIED and missing SPNs in Windows authentication
KRB_AP_ERR_MODIFIED usually means the service ticket cannot be decrypted by the server, often due to an SPN or service account mismatch.
Common symptoms
- Browser repeatedly prompts for Windows credentials.
- Integrated Windows Authentication fails.
- Application logs show KRB_AP_ERR_MODIFIED.
Evidence to collect
- Application Kerberos error text.
- setspn -Q results for the service hostname.
- IIS/application pool or service account configuration.
- Windows Security Event IDs 4768, 4769, or 4625.
Common causes
- SPN registered to the wrong service account.
- SPN exists for an old hostname but not the current hostname.
- Duplicate SPNs exist.
How to fix or triage it
- Query the exact HTTP service SPN.
- Register the SPN on the correct service account.
- Remove duplicate or stale SPNs.
- Retest Kerberos after ticket cache refresh.
How AccessTrace AI helps
- Detects SPN missing and KRB_AP_ERR_MODIFIED evidence.
- Separates authentication failure from authorization failure.
- Creates clear next checks for Windows, AD, and app teams.
Example evidence
Kerberos authentication failed. Error: KRB_AP_ERR_MODIFIED setspn -Q HTTP/finance.example.edu Result: No such SPN found.
Turn messy access evidence into a report
Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.
Start with the free plan