Kerberos: authentication fails, 'Message stream modified'

Answer: The error message "Message stream modified (41)" generally indicates one of the following issues: - The keytab has been generated on an alias, such as 'TOPdesk' or 'Servicedesk', whereas the actual name of the server is different. The ktpass command should always specify the A-record of the server, not an alias.

Answer: The error message "Message stream modified (41)" generally indicates one of the following issues: - The keytab has been generated on an alias, such as 'TOPdesk' or 'Servicedesk', whereas the actual name of the server is different. The ktpass command should always specify the A-record of the server, not an alias. - There is a discrepancy between the password of the service account on the Domain Controller, and the password specified in the keytab file. This can occur if the password for the service account has been changed after running the ktpass command. In both cases we would recommend going through the Kerberos initialization steps again. Please perform the following steps: 1. Delete the keytab. 2. On the domain controller run the command 'setspn -x' to check whether there are any duplicate SPNs relating to TOPdesk. 3. Either delete the AD user initially used; or use the command 'setspn -d' to remove any SPNs on this user. To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing 'setspn -d http/server3.contoso.com server3', and then pressing ENTER. 4. Run the ktpass command again, after starting the command prompt with administrator permissions to ensure that this is not limiting the creation of the keytab.