Target Name is Incorrect domain user 2012 r2

Target Account Name is Incorrect - 2012 R2


"Target account name is incorrect" error when a domain user accesses a share on a file server that is running Windows Server 2012 R2
Applies to: Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard
Symptoms


When domain users try to access a share on a file server that is running Windows Server 2012 R2, they cannot access the share, and they receive the following error message:

Logon failure: Target account name is incorrect.

Additionally when this problem occurs, Event ID 4 and Event ID 1097 are logged in the Server log. This problem may occur for several hours or up to a day. Then, the user loses access to the share on the server.

Event ID 4

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server_name$. The target name used was server_name$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DNS_prefix.dns_suffix) is different from the client domain (DNS_prefix.dns_suffix), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Event ID 1097

The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

Cause
This problem occurs because the file server cannot decrypt the ticket that was encrypted in AES256.
Resolution
To resolve this problem, set the value of the SupportedEncryptionTypes attribute to 0x7fffffff. To do this, follow these steps:
In the Group Policy Management Console (GPMC), expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options.
Click to select the Network security: Configure encryption types allowed for Kerberos option.
Click to select the Define these policy settings check box and all six check boxes for the encryption types.
Click OK, and then close the GPMC.


Note This policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters

Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Kerberos

Changes in Kerberos Authentication

Interpreting the SupportedEncryptionTypes Registry Key

Kerberos Enhancements

You cannot log on to a Windows 7-based or Windows Server 2008 R2-based client computer after you disable AES encryption for Kerberos authentication



    • Related Articles

    • Login Failure - The target account name is incorrect Windows 2012r2

      In a multi server where you have 2 domain controllers.  The secondary or non holder of all FSMO roles. (Server2).. To re-sync the krbtgt password: On Server2, stop the kerberos key distribution center service (kdc) and set it to "disabled". Then ...
    • Complete-Mail Pop Server Settings

      How to Configure POP Mail Settings in Outlook (Manual Setup) for Pop Account Use Complete-Mail Hosted Exchange Prerequisite:  Set up Hosted Exchange Lite service for the user in the Customer Portal 1. On the Control Panel in Windows, click the Mail ...
    • The Operator or Administrator has refused the request (4320)

      Logmein - The Operator or Administrator has refused the request (4320) Error 4320 signifies that a non-administrator is trying to log in with a Windows username and password that does not have permission to use LogMeIn. To allow a non-administrator ...
    • Remote Work Authenticator Tutorial

      Step 1. Log into remote work program. After logging in, you will arrive at the screen shown below. Step 2. Download and install an authenticator app. There are a few options for this, but I recommend using Microsoft's Authenticator app or Google ...
    • Allworx Voicemail to Email

      Allworx 7.5 Voicemail to Email How to Add Message Alias 1. email Alias should be login name 2 voicemail - leave blank 3. Members - add email addresses