Kerberos fails with AP_ERR_MODIFIED

Jan 24, 2011 at 7:13 PM

I'm new to Waffle and Kerberos, and I think I have an SPN problem... can you help me straighten this out, please?

Here's the SPN that I've created, using a User account named KerberosTestApp:

setspn -L MYDOMAIN\KerberosTestApp
Registered ServicePrincipalNames for CN=KerberosTestApp,CN=Users,DC=mydomain,DC=com:

My server's Computer account doesn't have an explicit HOST/theServer SPN... the mapping is done dynamically, isn't it?

At login time, my client is granted a service ticket (TGS-REP) that says the server name (service and instance) is HTTP/

The ticket is sent in the next GET, for which the server returns a 401 with the AP_ERR_MODIFIED error code. The server name that appears in the error message is (service and host) HOST/

Note the difference in service class. Is that a problem, or is it just that the server chose a different name type? If it is the problem, how can I fix it? Did I create my SPNs backwards?



Jan 26, 2011 at 5:24 PM

Okay, I got it. For any other newbies out there:

Kerberos is implemented through the exchange of encrypted and signed messages. Some of the encryption keys are based on the passwords of accounts in the Active Directory. The client machine uses the account and password of the user who has logged in. When the client requests a ticket for access to the remote service, an SPN tells the Active Directory which service account's password to use.

But how does the server application know which account and password to use? The AP_ERR_MODIFIED error code means the server can't decrypt something or verify a signature, so clearly the password it's using is wrong.

If you login to your server and run your app by executing a batch file, etc, Kerberos authentication won't work. The application runs under your account and (I assume) the server ends up with its default service principal, HOST/theServer, which is mapped to the machine's Computer account, not a service account. The only way it'll work is if you run your app as a service, because then you can explicitly set the service's login to use the service account's password.

I still have other problems, but at least I got past this!

Jan 27, 2011 at 1:45 PM

Very nice. I'm adding this to the troubleshooting Negotiate FAQ.

Jan 27, 2011 at 7:50 PM
Edited Feb 2, 2011 at 9:32 PM

I have everything working now. For one, I had to explicitly add my server as an intranet site; for some reason the auto-detect wouldn't work. And I had to run my server with SSL because my company forces the "Require server verification for all sites in this zone" checkbox.

Plus, I'm running JBoss as a service and discovered that, depending on which service wrapper you use, the service account may need admin privileges on the server machine.

Waffle rocks! No more fooling around trying to get 3rd-party single sign-on servers to work reliably!

Jan 27, 2011 at 7:52 PM
mermeister wrote:

Waffle rocks! No more fooling around trying to get 3rd-party single sign-on servers to work reliably!

Gr8. We like good ratings and short answers to this thread :)

Feb 28, 2011 at 11:43 AM

Hi mermeister,

              Iam new this group/community. I have a similar problem and need your help to get rid of this error KRB5KRB_AP_ERR_MODIFIED. please go through the link about the details : Please go through the link for my scenario. I tried a lot to get away with this error but no luck. Here my service is CIFS .

Please help me in this matter. I have written the code to delegate the user using heimdal and get ticket on behalf of a delegated user account. the ticket is given to the
application server, now there it is returning error from host/<hostname>.<domainname>.com

Mar 1, 2011 at 4:39 PM

You can use the Services console to explicitly set the account that a Windows service runs under. That account should be the same one that your SPN maps to. Bring up the console (XP: Control Panel | Admin Tools | Services, Win7: type Services in the Start menu's search field), and double-click your service. Select the Log On tab and This Account. You can type in the UPN of the service, e.g.,, but I like to use the Browse features to get Windows to mind the details. Enter the password twice and you're done. If it succeeds you've entered the data correctly and, back in the Services console, your service's Log On As entry should be the name of your service account.

Mar 2, 2011 at 7:16 AM


        Thanks for replying. But my service was Cifs and my client is running as a virtual machine (fedora) in a virtual box installed in a Windows 7 machine. And the SPNs were also registered correctly for the domain

account. I am getting the service ticket, but the ticket was encrypted using domain account password hash . When I give this ticket to the application server in a Session setup Andx request , I am getting the error as

KRB5KRB_AP_ERR_MODIFIED. This is actually a delegation concept where the delegated user will get the service ticket for some other user X, so this is actually failing. But normal standalone user is works fine.  My

client was a linux box. Finally AD and Application server are on the same machine and every one are VM's . My scenario is different where every one explains about http request to iis server and from iis server cifs

request to the app server. Can you please explain where I went wrong, regarding the server configuration for the constrained delegation in w2k3 server and the spns. the fedora machine is joined in to the domain also.

So we have 3 machines, one client , one linux box, one AD+App Server.  From client to the linux box we do NTLM for the user X. From linux box delegated user login and give his credentials to the AD and get the

service ticket for the User X. Now this ticket which sent to the App server giving a reply error from host. Now every thing is a cifs service no http involved here. Please help as I tried a lot.

I registered SPN like this

setspn -a cifs/<hostname>.<domainname>.<com>   <domainname>\<delegated_user>

setspn -a cifs/<hostname>   <domainname>\<delegated_user>





Mar 2, 2011 at 3:33 PM

Sorry, I have no experience with delegation... good luck!

Mar 3, 2011 at 12:37 PM

I would try the Samba mailing list. Sorry I can't be more helpful.