SQL Server Connection Error: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server

Posted: 12/31/2016 11:47 AM

I recently changed the user account that my SQL Server instance was running under from "sql.user" to "sql.user2". When I attempted to have my application server connect via integrated Windows Authentication to this SQL Server after changing the user account and restarting the service, I began receiving this error message in the Windows System Event Log:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sql.user2. The target name used was MSSQLSvc/db01.xyz.com:52663.

I discovered after some research that the client server was still attempting to connect to my SQL Server using the old account name. Running the PowerShell command setspn -Q MSSQLSvc/db01.xyz.com:52663 yielded the following output, indicating that the old account was still being used.

Checking domain DC=xyz,DC=com
CN=SQL Server Service Account,OU=Service Accounts,DC=xyz,DC=com
    MSSQLSvc/db01.xyz.com:52663

To clear the cached kerberos entries, I ran the following commands on the client computer:

setspn -D MSSQLSvc/db01.xyz.com:52663 sql.user
setspn -S MSSQLSvc/db01.xyz.com:52663 sql.user2

This cleared out the cached entries and I was able to reconnect.