First published on TechNet on Feb 13, 2009
Hi, this is Manish Singh from the Directory Services team and I am going to talk about the machine account password process. Ever wondered what goes on ...
Updated Apr 27, 2020
Version 14.0
Blog Post
Nice!!
I got a problem with SQL Server and Kerberos Authentication.
The SQL Instance runs under the Virtual Account "NT SERVICE\MSSQLSERVER". All possible SPN are correctly registered to the machine account.
When some client attempts authentication on SQL Server using Windows Authentication, the client gets the Kerberos Ticket succesffully (i can see it on output of klist).
But, when the client send its to the my SQL instance, it cannot decrypt the ticket, and client receives "Cannot generate SSPI". Looking at the kerberos log, on event viewer, i get the KRB_AP_ERR_MODIFIED error.
This can be triggered by a different machine account password on my SQL Server instance and the password stored on Active Directory?
Just more data: I've used the AdExplorer from sysinternals to look in some properties of machine account in AD and I noted that the attribute badPasswordTime keeps updated. In other servers, last value is from two years ago.