So I think this error is the same as Ive had before on Server 2012, where you move the CNO into a different OU, then after 60 days when the password for the computer account expires you get into problems. This because some permissions makes it not possible to reset the password. You could always resolve this by simulating failure in the failover cluster manager and then repair it.
Now Im running Server 2012 R2, I read about a bug in which the repair function in FCM was not working correctly but this was supposed to be fixed in the big update in April, which I have installed.
I can simulate failure and then repair but it doesn't seem to make a difference. The CNO still lists with a kerberos security error in Server Manager, and I can't connect to the cluster with external programs such as Veeam. Im getting the feeling that the computer password for the CNO isn't synchronized in the KDC somehow.
At first the eventvwr mentioned that it could also be an SPN-issue since it was trying to call the CNO by its HTTP SPN that wasn't available, adding this manually didn't make a difference though.
The error Im getting in eventvwr is 0x80090322 KRB_AP_ERR_MODIFIED.
Anyone got any ideas?