The client is installed locally and can connect to the server. From another server, the GPMC extension can’t connect to the server with an error “A call to SSPI failed, see inner exception” (no other details in the error message). We have uninstalled the GPMC extension from this server and replaced it with the GPOAdmin client. When we try to connect using the SCP proposed by default (which looks correct), the error is the same: “A call to SSPI failed, see inner exception” If we try to connect to the server using its IP address, it works.
The root cause is likely a Kerberos problem in the domain. This could be why the shortname works and the FQDN does not as this is part of the information used by Kerberos when authenticating. Please have a look at the Microsoft article below to show the causes of the KRB_AP_ERR_MODIFIED error and how to address it.
Microsoft Article Link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-client-krb-ap-err-modified-error
TGS is encrypted with RC4, but the session key is using AES.
The msds-supportedEncryptionTypes attribute is empty for the service account, but its value is 0 for the user trying to connect. Enabling explicit AES support for the service account resolved the issue.
