🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Services authenticated by Kerberos start failing with KRB_AP_ERR_MODIFIED, breaking SQL, IIS, and SMB connections from domain users on Windows Server 2016.

Environment & Reproduction

Common after service account changes, host renames, or migrations that leave duplicate SPNs in AD.

setspn -X
setspn -L CORPsvc-sql
Get-WinEvent -LogName System -FilterXPath "*[System[EventID=4]]" -MaxEvents 20

Root Cause Analysis

Duplicate or wrong-account SPN ownership causes the KDC to issue tickets for the wrong principal, leading to checksum failures.

Quick Triage

Look for SPN duplicates and recent account changes.

setspn -X
Get-ADUser svc-sql -Properties ServicePrincipalNames | Select -ExpandProperty ServicePrincipalNames
Get-ADComputer SQL01 -Properties ServicePrincipalNames

Step-by-Step Diagnosis

Trace which principal owns the SPN and which client is requesting it.

setspn -Q MSSQLSvc/sql01.corp.local
klist purge
klist get MSSQLSvc/sql01.corp.local
Illustrative mockup for windows-server-2016 β€” event_or_log_viewer
Kerberos 4 event in Security log β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Remove the wrong SPN and assign it to the correct service account.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

setspn -D MSSQLSvc/sql01.corp.local:1433 CORPold-account
setspn -S MSSQLSvc/sql01.corp.local:1433 CORPsvc-sql
klist purge
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
setspn duplicate output β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

If multiple legacy duplicates exist, use a managed account or gMSA to consolidate SPN ownership.

Set-ADServiceAccount -Identity svc-sql -ServicePrincipalNames @{Add='MSSQLSvc/sql01.corp.local:1433'}
Install-ADServiceAccount svc-sql

Verification & Acceptance Criteria

Kerberos tickets are issued to the right principal and clients connect without falling back to NTLM.

klist get MSSQLSvc/sql01.corp.local
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4769]]" -MaxEvents 10

Rollback Plan

Reinstate prior SPN registration if downstream services need temporary fallback.

setspn -D MSSQLSvc/sql01.corp.local:1433 CORPsvc-sql
setspn -S MSSQLSvc/sql01.corp.local:1433 CORPold-account

Prevention & Hardening

Document SPN ownership, prefer gMSAs, and audit duplicates regularly.

setspn -X | Out-File C:Tempspn-audit.txt
Get-ADServiceAccount -Filter * | Select Name,ServicePrincipalNames

Often co-occurs with NTLM fallback, RDP NLA failures, and IIS Negotiate authentication issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Service Principal Names, Kerberos troubleshooting, and gMSA SPN management.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.