Long time since last post, but this one is something I feel like I have to share.
Recently experienced a issue after upgrading en environment from Exchange Server 2013 to Exchange Server 2019.
After installing the new server, some users startet to experience the Outlook client asking for password repeatedly. The problem was not consistent accross all devices/users, so it was somewhat troublesome to troubleshoot.
The key to the solution appeared after a client repeatedly reported Event ID 4 from Security-Kerberos service:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server %1. The target name used was %3. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named server accounts in the target realm (%2), and the client realm (%4). Please contact your system administrator.
Turns out that the SPN of the e-mail service and autodiscover in the local domain was not updated automatically to the new Exchange 2019 Server.
By using this article from Microsoft, I was able to locate the SPN pointing to the old Exchange server, remove the SPN and replace it with the correct server address. When completed, all Outlook clients startet functioning as normal.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-event-4-access-denied
The syntax for the setspn command is as follows:
setspn -Q HTTP/mail.domain.com (alt. HTTP/autodiscover.domain.com)
setspn -D <SPN> LOCALDOMAIN\OLD_ServerName$
setspn -A <SPN> LOCALDOMAIN\NEW_ServerName$
Universal Communications, My experiences. 