I recently had a domain controller where the computer account had expired. All external authentication failed and i got error messages such as: “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server”
As this was a Domain Controller and FSMO role keeper a domain re-join was not possible.
Solution (from command line):
- Stop the KDC service: “Net stop “kerberos Key Distribution Center”
- Delete kerberos tickets: “klist purge”
- Reset password: “netdom resetpwd /s:[workingdc] /ud:domain\user /pd:*”
- restart server: “shutdown -r”