After the customer modified the Base URL setting to use a different hostname, single sign-on (SSO) functionality stopped working for all users across the environment. However, when the Base URL is reverted back to the original hostname of the StoreFront server, single sign-on resumes normal operation without any issues.

Run below setspn command to register SPN record on Storefront server.

setspn -S HTTP/%newbaseurl% %hostname% 

Problem Cause

The customer is using Kerberos authentication, rather than NTLM, to perform single sign-on (SSO) with the StoreFront server.

After changing the Base URL, clients began receiving the KRB_AP_ERR_MODIFIED error from Storefront server, which indicates a mismatch between the Service Principal Name (SPN) and the server identity. This issue occurred because the new Base URL did not match any existing SPN records registered for the StoreFront server. To resolve the problem, a new SPN record corresponding to the updated Base URL was registered on the StoreFront server, restoring proper Kerberos authentication and resolving the SSO failure.