server replies with AP_ERR_MODIFIED

Feb 28, 2011 at 6:49 AM

Hi Waffle,

              I am new to this group/community. I am doing kerberos delegation middle tier server to the back-end server) and from front end client to the middle tier server which is an ntlm authentication. All machines are in the same domain. Now the problem is when delegated user log in to the back-end server  from the middle-tier, he gets the ticket for the actual user who logged by using NTLM authetication. When this ticket is sent to the backend server from the middle tier server the server replies with the error message KRB5KRB_AP_ERR_MODIFIED. Here are the my SPN set for the delegated user.

setspn -l <domainname>\<delegated_user_account>



Now the service is CIFS. The middle tier server is an linux box which is made to joined in to the domain. The back-end server is an W2k3 server. The process goes like this from the client user A log-in using NTLM authentication protocol , and  from the middle tier server , delegated user login to the back end server and gets the ticket for the CIFS service for the user A. Now when the middle tier server gives this service ticket to the application server , this server returns with the  KRB5KRB_AP_ERR_MODIFIED. Please tell me how can I slove this problem.

Thanks ,



Feb 28, 2011 at 12:14 PM

I think you should ask this question with the Samba CIFS folks or something like that. Waffle is a high level wrapper for Win32 API, much less involved than anything you're doing here.

Feb 28, 2011 at 12:31 PM

Hi dblock,

              Thanks for replying, I read the discussion made by mermeister on the same problem. He mentioned that "you run your app as a service, because then you can explicitly set the service's login to use the service account's password" but I dont know exactly what he was saying.  Link to go to that discussion : Can you please help me in this, I tried a lot to get rid of this error : KRB5KRB_AP_ERR_MODIFIED.