I didn’t dig into this but wanted to give a heads up that when I used Windows Update this evening to apply the latest patches to my main XP machine after the reboot it would no longer talk to the domain properly and hence unable to log into the machine with a domain ID. This was IMMEDIATELY after the update reboot and thankfully I followed my normal process of rebooting prior to running the updates to validate that everything was ok prior to the updates and it was so I know for a fact it was one of the updates that broke me.
In the event log I started seeing the dreaded KRB_AP_MODIFIED error, specifically for the search engines
EventID: 4
Source: Kerberos
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/r2dc1.test.loc. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEST.LOC), and the client realm. Please contact your system administrator.
The patches that were applied were
- Root Certificates Update
- KB943485 (LSASS Fix)
- KB941644 (TCP/IP Fix)
- KB890830 (Windows Malicious Software Removal Tool – January 2008)
- KB931906 (CAPICOM Fix)
I did not install the Silverlight. I actually may never install it now since they tried to shove it down my throat. :o)
My guess is that it was the CAPICOM fix but I don’t have the time to dig into it. I tried quickly to restore point back but that didn’t fix it so I unrestored point back to my previous back before the restore point restore (heh say that 4 times fast) so I am back where I was after I started. :^)
Anyway, I wanted a quick fix so I pulled the machine out of the domain and rejoined it and voila’ it is working again.
joe
P.S. Mom and Shank, don’t worry about this post, you don’t have to worry about it with your computers since you guys aren’t in a domain. You just keep applying all the non-hardware updates as usual.
Any further information?
Hey Joe,
Long time man 😉 — I am having the exact same problem in a production domain some boxes are having this error some are not and you have to rejoin the domain its a real pain and I don’t see any fix anywhere I will have to look internal. Funny part is it seems to be hitting Windows 2000 boxes….