I recently changed the user account that my SQL Server instance was running under from "sql.user" to "sql.user2". When I attempted to have my application server connect via integrated Windows Authentication to this SQL Server after changing the user account and restarting the service, I began receiving this error message in the Windows System Event Log:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sql.user2. The target name used was MSSQLSvc/db01.xyz.com:52663.
I discovered after some research that the client server was still attempting to connect to my SQL Server using the old account name. Running the PowerShell command
setspn -Q MSSQLSvc/db01.xyz.com:52663 yielded the following output, indicating that the old account was still being used.
Checking domain DC=xyz,DC=com CN=SQL Server Service Account,OU=Service Accounts,DC=xyz,DC=com MSSQLSvc/db01.xyz.com:52663
To clear the cached kerberos entries, I ran the following commands on the client computer:
setspn -D MSSQLSvc/db01.xyz.com:52663 sql.user setspn -S MSSQLSvc/db01.xyz.com:52663 sql.user2
This cleared out the cached entries and I was able to reconnect.