Why is presence of SPN on an account causing Kerberos "failed to decrypt" error (KRB_AP_ERR_MODIFIED)
I am in a corporate environment with on-premises AD on the company.com
domain.
We have an AWS VPC hosting some .Net APIs in IIS - the domain these are in is companycloud.com
. These APIs are all on the same box.
Some of these .Net APIs make calls back to themselves through HTTP. For example..
A call to "Tasks API" at https://myapis.companycloud.com/apis/tasks/1
might during its execution make an HTTP call to "Users API" at https://myapis.companycloud.com/apis/users/someusername
. The credentials used for this connection are company.com\svc_account_1
This all worked until...
The other day I created a service account company.com\SVC_CompanyAPIs
with SPNs of
HTTP/myapis.companycloud.com
and
HTTP/myapis-company.msappproxy.net
(I don't think this second SPN is part of the problem but I include it for completeness). The idea with the service account was to facilitate windows auth from outside the organisation. I ran the /apis
site app pool under this identity for a while...
But now - all the sites are running back under the default ApplicationPoolIdentity
in IIS. However, when one API tries to call another I get an SPN error...
System
- Provider
[ Name] Microsoft-Windows-Security-Kerberos
[ Guid] {98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}
[ EventSourceName] Kerberos
- EventID 4
[ Qualifiers] 16384
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2024-07-19T12:35:02.172582000Z
EventRecordID 162718
Correlation
- Execution
[ ProcessID] 0
[ ThreadID] 0
Channel System
Computer EC2AMAZ-SFS299P.companycloud.com
- EventData
Server ec2amaz-sfs299p$
TargetRealm COMPANYCLOUD.COM
Targetname HTTP/myapis.companycloud.com
ClientRealm COMPANY.COM
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ec2amaz-sfs299p$. The target name used was HTTP/myapis.companycloud.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (COMPANYCLOUD.COM) is different from the client domain (COMPANY.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
I have seen such errors before when trying to configure Kerberos.
What is confusing me here is that if I disable the account SVC_CompanyAPIs
and restart the box, this error goes away. This account is not even referenced by any code on the box or used to run any app pool in IIS etc. It seems like the very existence of an account which has an SPN defined on it matching the host+domain of the site is causing some issue.
Could someone please explain why this happens?