Share via

Issue with Secondary ADFS Server Creation – Event ID 4

Anil Kadam 20 Reputation points
2025-02-25T04:05:38.6+00:00

Hi,

error1.pngI am facing an issue while creating the secondary ADFS server. My primary ADFS server is functioning properly; however, when attempting to set up the secondary server, I encountered an error during the pre-check process with Event ID 4.

Below are the error details:

Service Account: srvadfapp

Error Screenshot: [Attach error.png]

**"**The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srvadfapp. The target name used was host/hfcyotpdaf1v01.niwashfc.intra. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (NIWASHFC.INTRA) is different from the client domain (NIWASHFC.INTRA), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

Could you please review the error and provide a possible solution to resolve this issue?

Thanks and Regards,

Anil Kadam

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,964 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zunhui Han 3,650 Reputation points Microsoft External Staff
    2025-03-06T09:45:57.7366667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    To further troubleshoot this Kerberos authentication issue, please kindly try below steps:

    1.Check and ensure that SPN host/hfcyotpdaf1v01.niwashfc.intra is only registered on service account srvadfapp.

    Open CMD Window as administrator and run below command:

    a.Check SPN

    setspn -Q host/hfcyotpdaf1v01.niwashfc.intra

    b.Remove incorrect SPN:

    setspn -D host/hfcyotpdaf1v01.niwashfc.intra <incorrect_account>

    c.Add correct SPN:

    setspn -S host/hfcyotpdaf1v01.niwashfc.intra srvadfapp

    REF: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)

    2.Check if the service account password is correct or not.

    3.Restart ADFS service on the primary and secondary server to get changes taken effect by CMD command:

    Restart-Service adfssrv

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Best Regards

    Zunhui

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.