Possible Agent issue with DC - Microsoft-Windows-Security-Kerberos

Hello, I am working with PSO to deploy Change Auditor in production. I stood up a lab to test how some agents would interact. The agents of concern are ManageEngine PasswordSyncAgent and the Quest Change Auditor Agent.

We couldn't find a smoking gun in the lab, so we continued to deploy in production. When deploying the agent and looking for the unknown, I came across an error in the System log that is of some concern. The error can be replicated on existing agent installations but not consistently. The error is instant in production on Quest Change Auditor Agent deployment.

First: Has anyone had known issues with Quest Change Auditor Agent and ManageEngine Password Sync Agent?

Second: Has anyone seen the below error generated on Domain Controllers where the agent is installed? I've seen these errors before but NOT when it is talking about ITSELF!

Any feedback would be greatly appreciated :)

Log Name:      System

Source:        Microsoft-Windows-Security-Kerberos

Date:          3/10/2021 4:14:40 PM

Event ID:      4

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DOMAINCONTROLLER

Description:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DOMAINCONTROLLER$. The target name used was host/localhost. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />

    <EventID Qualifiers="16384">4</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2021-03-10T21:14:40.000000000Z" />

    <EventRecordID>653812</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>System</Channel>

    <Computer>DOMAINCONTROLLER</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="Server">DOMAINCONTROLLER$</Data>

    <Data Name="TargetRealm">DOMAIN</Data>

    <Data Name="Targetname">host/localhost</Data>

    <Data Name="ClientRealm">DOMAIN</Data>

    <Binary>

    </Binary>

  </EventData>

</Event>