• caglararli@hotmail.com
  • 05386281520

Why is presence of SPN on an account causing Kerberos "failed to decrypt" error (KRB_AP_ERR_MODIFIED)

Çağlar Arlı      -    19 Views

Why is presence of SPN on an account causing Kerberos "failed to decrypt" error (KRB_AP_ERR_MODIFIED)

I am in a corporate environment with on-premises AD on the company.com domain.

We have an AWS VPC hosting some .Net APIs in IIS - the domain these are in is companycloud.com. These APIs are all on the same box.

Some of these .Net APIs make calls back to themselves through HTTP. For example..

A call to "Tasks API" at https://myapis.companycloud.com/apis/tasks/1 might during its execution make an HTTP call to "Users API" at https://myapis.companycloud.com/apis/users/someusername. The credentials used for this connection are company.com\svc_account_1

This all worked until...

The other day I created a service account company.com\SVC_CompanyAPIs with SPNs of HTTP/myapis.companycloud.com and HTTP/myapis-company.msappproxy.net (I don't think this second SPN is part of the problem but I include it for completeness). The idea with the service account was to facilitate windows auth from outside the organisation. I ran the /apis site app pool under this identity for a while...

But now - all the sites are running back under the default ApplicationPoolIdentity in IIS. However, when one API tries to call another I get an SPN error...

 System 
  - Provider 
   [ Name]  Microsoft-Windows-Security-Kerberos 
   [ Guid]  {98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1} 
   [ EventSourceName]  Kerberos 
 
  - EventID 4 
   [ Qualifiers]  16384 
 
   Version 0 
   Level 2  
   Task 0 
   Opcode 0 
   Keywords 0x80000000000000 
 
  - TimeCreated 
   [ SystemTime]  2024-07-19T12:35:02.172582000Z 
 
   EventRecordID 162718 
   Correlation 
 
  - Execution 
   [ ProcessID]  0 
   [ ThreadID]  0 
 
   Channel System 
 
   Computer EC2AMAZ-SFS299P.companycloud.com 
 
- EventData 

  Server ec2amaz-sfs299p$ 
  TargetRealm COMPANYCLOUD.COM 
  Targetname HTTP/myapis.companycloud.com 
  ClientRealm COMPANY.COM 

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ec2amaz-sfs299p$. The target name used was HTTP/myapis.companycloud.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (COMPANYCLOUD.COM) is different from the client domain (COMPANY.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

I have seen such errors before when trying to configure Kerberos.

What is confusing me here is that if I disable the account SVC_CompanyAPIs and restart the box, this error goes away. This account is not even referenced by any code on the box or used to run any app pool in IIS etc. It seems like the very existence of an account which has an SPN defined on it matching the host+domain of the site is causing some issue.

Could someone please explain why this happens?