I was unable to configure outlook, while trying to configure outlook getting continues credentials prompt, not going ahead and getting the following error in event viewer of the client machine.
Log name: System
Event ID: 4
Error:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cas03$. The target name used was HTTP/autodiscover.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.com) is different from the client domain (domain.com), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Beside outlook issue, Lync 2010/Skype for business users were also getting the following credentials prompt and were same unable to authenticate, even typing the correct credentials many times. but were kept connected if just ignore the credentials prompt in skype for business
My environment: I have Hybrid environment with Exchange server 2013 on premise with office 365. same with Lync 2010 on premises and Skype for business online on Microsoft cloud.
After a lot of googling i came to know that lets check the UserPrinciplName with ServicePrinciplName using ADfind tool which you can download from (http://www.joeware.net/freetools/tools/adfind/index.htm) and after running the following command
adfind -f
"servicePrincipalName=HOST/webmail.mydomian.com" -gcb
the output was blank /
find nothingso ran
adfind -f "servicePrincipalName=HOST/autodiscover.mydomain.com" -gcb
and found the following two values with a lot of other values
>userPrincipalName: nawaz@mydomain.com
>servicePrincipalName: host/autodiscover.mydomain.com
Now Nawaz@mydomain.com was my domain admin account and after disabling/deleting this account my issue was resolved, was able to configure outlook and also the credentials prompt from skype for business gone. seems the issue was this user Nawaz@mydomain.com
No comments:
Post a Comment