Home »
Active Directory issues and fixes

Why and what happens when Kerberos fails to authenticate?

From tackling oversized tickets and missing SPNs to resolving clock skew drama and double hop headache, this guide has the tools you need.

  • Ticket size too big, server can't handle it
  • Clock skew drama
  • SPN gone missing
  • Double hop blues
  • Kerberos overload
  • RC4 encryption still hanging around
  • Duplicate SPNs, double the trouble

1. Ticket size too big, server can't handle it:

No actual error message

Issue

The Kerberos ticket is too large, often due to excessive group memberships.

Fix A:

Increase the MaxTokenSize in the registry:

How to do it

  • Open the Registry Editor ('regedit').
  • Navigate to: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters".
  • If the " 'Parameters' key doesn’t exist, create it: Right-click 'Kerberos' > New > Key > Name it 'Parameters' ".
  • Right-click in the right pane > New > DWORD (32-bit) Value > Name it "MaxTokenSize".
  • Double-click "MaxTokenSize", select Decimal, and set the value to "48000" or higher (up to 65535).
  • Reboot the system if required.
Fixing Active Directory Kerberos and authentication issues

Fix B:

Avoid bloating user group memberships—it’s a ticket, not a carry-on bag.

How to do it

  • Review user group memberships in Active Directory Users and Computers (ADUC).
  • Remove users from unnecessary groups:
  1. Open ADUC > Locate the user > Right-click > Properties > Go to Member Of tab.
  2. Remove non-essential groups.

2. Clock skew drama

Error message: KRB_AP_ERR_SKEW – "Clock skew too great."

Issue

Time synchronization issues between the client and server cause Kerberos authentication failures.

Fix A:

Sync all devices to the same NTP server.

How to do it

  • Open a command prompt as an administrator.
  • Set the NTP server: "w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /update".
  • Resync time using the following command "w32tm /resync".
Fixing Active Directory Kerberos and authentication issues

Fix B:

Keep the time difference under five minutes, or Kerberos throws a tantrum.

How to do it

  • Open Group Policy Management.
  • Navigate to: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.
  • Enable Configure Windows NTP Client and set the correct NTP server.
Fixing Active Directory Kerberos and authentication issues

3. SPN gone missing

Error message: KRB_AP_ERR_NOT_US – "The ticket is not for us."

Issue

The requested service does not have a valid SPN (Service Principal Name) registered.

Fix A:

Use "setspn -a" to check if the SPN exists.

How to do it

  • Open Command Prompt as an administrator.
  • Run: "setspn –a http/machinename domain\username"

Fix B:

If it’s missing, add it with "setspn A".

How to do it

  • Run: "setspn -A <SPN> <Account>"
  • Replace "<SPN>" with the service name and "<Account>" with the service account.

Fix C:

Don’t forget to double check the SPN spelling—Kerberos is not forgiving of typos.

How to do it

  • Confirm that the SPN matches the format "ServiceType/HostName".

4. Double hop blues

Error Message: KRB_AP_ERR_MODIFIED – "Message stream modified."

Issue

Kerberos authentication fails when credentials need to be passed between multiple servers (double-hop scenario).

Fix A:

Enable Kerberos delegation for the service account in Active Directory.

How to do it

  • Open ADUC > Locate the service account > Properties > Delegation tab.
  • Select Trust this user for delegation to specified services only.
  • Add the necessary services.

Fix B:

Use constrained delegation if you’re security conscious.

How to do it

On the Delegation tab, choose Use Kerberos only and specify the allowed services.

5. Kerberos overload

Error Message: There isn't a specific Kerberos error message for the Key Distribution Center (KDC) overload; however, symptoms include slow authentication responses or failures.

Issue

The KDC is overloaded with authentication requests.

Fix A:

Load balance your KDCs by ensuring all DCs are functional and accessible.

How to do it

  • Ensure all domain controllers are functional using: "dcdiag /v".
  • Check KDC SRV records in DNS: "nslookup -type=SRV _kerberos._tcp.<domain>".

Fix B:

Reduce authentication retries with proper client configurations.

How to do it

  • Review client configuration: Open Group Policy Editor.
  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • Adjust Number of retries before locking account.

6. RC4 encryption still hanging around

Error Message: KRB_AP_ERR_BAD_INTEGRITY – "Integrity check on decrypted field failed."

Issue

Kerberos is trying to use outdated RC4 encryption.

Fix A:

Check and update the encryption types in the GPO:

How to do it

  • Check and update encryption types
  • Open Group Policy Editor.
  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.
  • Set encryption types to AES128 or AES256.

Fix B:

Use AES (Advanced Encryption Standard) instead.

7. Duplicate SPNs, double the trouble

Error Message: KRB_AP_ERR_MODIFIED – "Message stream modified."

Issue

Two or more accounts have the same SPN, causing Kerberos authentication failures.

Fix A:

Use "setspn X" to detect duplicate SPNs.

How to do it

  • Use "setspn -X" to detect duplicates
  • Open Command Prompt as an administrator.
  • Run: "setspn -X".
  • Remove the extras with "setspn D".
  • Run: "setspn -D <SPN> <Account>"
  • Replace "<SPN>" and "<Account>" appropriately.

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link