Kerberos Error While Managing Microsoft Failover Cluster

brief on cluster setup:

my cluster having 2 nodes , part of domain. details of nodes , domain below: 

-          testnodea , testnodeb: both physical server running windows server 2012 (build 9200) , part of testdomain.com domain.

-          testdomain.com vm running windows server 2003 sp2

-          cluster on these nodes work fine if quorum node majority. when quorum modified node , disk majority, fails on node doesn't own quorum.

brief on kerberos issue:

when quorum on cluster modified node , disk majority, kerberos security issues starts. let’s testnodeb owns quorum. when tried manage cluster using windows failover cluster manager testnodea by giving clustername, gives security error (error code: 1825).

same error returned, if try open cluster calling opencluster(“clustername”) (windows cluster api) call (but if opencluster("nodename") called nodename, works fine). system event log logs following error message:

log name:      system

source:        microsoft-windows-security-kerberos

date:          9/7/2012 11:43:02 am

event id:      4

task category: none

level:         error

keywords:      classic

user:          n/a

computer:      testnodea.testdomain.com

description:

the kerberos client received krb_ap_err_modified error server testnodea$. target name used msserverclustermgmtapi/<clustername>. indicates target server failed decrypt ticket provided client. can occur when target server principal name (spn) registered on account other account target service using. ensure target spn registered on account used server. error can happen if target service account password different configured on kerberos key distribution center target service. ensure service on server , kdc both configured use same password. if server name not qualified, , target domain (testdomain.com) different client domain (testdomain.com), check if there identically named server accounts in these 2 domains, or use fully-qualified name identify server.

event details:

-

system

- provider [ name] microsoft-windows-security-kerberos [ guid] {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} [ eventsourcename] kerberos

- eventid 4 [ qualifiers] 16384

version 0

level 2

task 0

opcode 0

keywords 0x80000000000000

- timecreated [ systemtime] 2012-09-07t06:13:02.000000000z

eventrecordid 7159

correlation

- execution [ processid] 0 [ threadid] 0

channel system

computer testnodea.testdomain.com

	security
-		eventdata

server

testnodea$

targetrealm

testdomain.com

targetname

msserverclustermgmtapi/<clustername>

clientrealm

testdomain.com

analysis on krb_ap_err_modified error:

this error might due following reasons:

-          duplicate spn

-          multiple or missing spn entries

-          client requests ticket wrong spn

-          spn set unexpected account

in case, error due “client request ticket wrong spn” verified other reasons.

any suggestion/comments of great help!

thanks

Windows Server  >  Windows Server 2012 General