My domain/servers have been running OK for awhile (years that is), but recently servers started refusing logins with "Password incorrect". And only way to fix that was server reboot. Then some servers would be OK for weeks before that happened again. Some would need restart every other day. No, pattern whatsoever! Then I logged in locally and found KRB_AP_ERR_MODIFIED error. Yes, there are many articles on how to fix that, but all of them go about different SPNs like HOST/ or MSSQLSrv/, duplicate accounts present etc etc. I do not see any of that in event log. I have same server name, same domain. Only difference is server name is lowercase, target name uppercase. Any ideas?
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server d365bi01$. The target name used was D365BI01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Service Principal Names (SPNs) are not case sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any type of computer system. Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN can be used by a non-Windows-based computer.