A few months ago, the firm I work for had an issue with one of our implementations of Server 2012 R2. It was our 2nd install of Domain Controllers running this OS, and the environment we installed was experiencing Kerberos errors which caused intermittent login issues on servers and workstations. After much troubleshooting we were stumped, and the workaround of ‘reboot the server/client and you will be able to login again’ wasn’t exactly a satisfactory fix for ourselves or the client. We logged a call with Microsoft, who were also stumped by the problem as we were the first partner to report this. A registry workaround was given to us which solved the clients woes temporarily, but now a hotfix is available! We have successfully deployed this hotfix and it has cured the problem.
I won’t write a huge spiel about this problem as Microsoft have already done this for me, but if you are experiencing login issues on Windows 7, Server 2008 R2 and/or Server 2012 R2 and you have recently deployed 2012 R2 Domain Controllers in a 2003 domain environment, you may be suffering from this issue. Look in your DCs event logs for the following event:
Event ID: 4
“The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/myserver.domain.com. This indicates that the password used to encrypt the Kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (domain.com), and the client realm. Please contact your system administrator.”
Please follow this link to read more about the problem and to download the hotfix: