Consider the following scenario, with all machines in the same domain:

  • Windows Server 2008 domain controller
  • Windows Vista or Windows Server 2008 client
  • Windows Server 2008 failover cluster

Client tries to access the cluster name via NetBIOS or DNS name and gets an error:

“\\{cluster name} is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.”

When looking at the network traffic it can be seen that the cluster returns KRB5KRB_AP_ERR_MODIFIED to the client. Microsoft-Windows-Security-Kerberos event ID 4 is also be recorded. Services relying on Kerberos communication with a cluster name will also fail with various symptoms (possibly pointing towards “access denied”). This occurs when the NetBIOS or DNS name of the cluster computer object is used. If the cluster is accessed using the IP address then there is no error displayed (as NTLM is used instead of Kerberos). If a Windows client prior to Vista is used then the problem does not occur. If any dedicated node name is entered then the problem does not occur.

Leave a Reply