Forum Discussion
SweetSounds_283
Nimbostratus
NimbostratusLTM VIP in front of CAS 2010 Kerberos errors
Hello,
Our CAS server logs are getting dozens of kerberos errors. They seem to indicate that the LTM is presenting a key from some other client
Notice that the client laptop11111 is using the target name laptop22222
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server laptop11111$. The target name used was cifs/laptop22222.domain.dom. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.DOM) is different from the client domain (DOMAIN.DOM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Any ideas as to what would cause this error in the CAS servers?
Michael_Koyfma1Cirrus
This is very hard to say from this description - but I would hazard a guess that it has nothing to do with the LTM itself but rather Exchange configuration necessary to support Kerberos. Have you reviewed this info?
http://technet.microsoft.com/en-us/library/ff808313.aspx
SweetSounds_283I will double check with our Exchange admin to be sure, but I believe we have.
(I also edited the original post - Not sure why it blew up when I pasted that copy)