This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Troubleshooting Kerberos
Troubleshooting Kerberos

Version management

Difference between version and

At line 1 added 62 lines
!!! Overview
Some [Troubleshooting] help for [Kerberos]
!! Try these Yes/No Steps
! Can the user's computer get a Kerberos ticket
To verify if the user's computer can get a Kerberos ticket for the desired service you can run the programs [klist], [kinit] and [kdestroy]. These programs can be run from the command line and are included in the MIT Kerberos client.
{{{
C:\Program Files\MIT\Kerberos\bin>klist
Ticket cache: MSLSA:
Default principal: user1@YOURDOMAIN.COM
Valid starting Expires Service principal
04/21/09 17:36:33 04/22/09 03:36:33 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
renew until 04/28/09 17:36:33
C:\Program Files\MIT\Kerberos\bin>kinit -S HTTP/thehost.yourdomain.com
Password for user1@YOURDOMAIN.COM:
C:\Program Files\MIT\Kerberos\bin>klist
Ticket cache: MSLSA:
Default principal: user1@YOURDOMAIN.COM
Valid starting Expires Service principal
04/21/09 17:36:47 04/22/09 03:36:47 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
renew until 04/28/09 17:36:47
04/21/09 17:36:47 04/22/09 03:36:47 HTTP/thehost.yourdomain.com@YOURDOMAIN.COM
renew until 04/28/09 17:36:47
C:\Program Files\MIT\Kerberos\bin>kdestroy
C:\Program Files\MIT\Kerberos\bin>klist
Ticket cache: MSLSA:
Default principal: user1@YOURDOMAIN.COM
Valid starting Expires Service principal
04/22/09 16:39:39 04/23/09 02:39:39 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
renew until 04/29/09 16:39:39
}}}
* If the user's computer can not get a ticket for the desired host or saw the error "Server not found in Kerberos database" then there maybe a duplicate SPN configured for the desired host. This issue can be diagnosed by running ldifde or [setspn.exe]. This duplicate spn troubleshooting document gives detailed info on how to diagnose this issue.
The configuration steps were not run properly to add the Google Search Appliance as service to the domain. Make sure that the steps listed in the Enrolling the Search Appliance in the KDC Domain and Creating a Keytab File were run correctly.!! Make sure that required services and servers are available.
The [Kerberos] authentication protocol requires a functioning:
* [KDC] (ie domain controller
* Domain Name System (DNS) infrastructure
* network
in order to work properly. Verify that you can access these resources __before you begin__ troubleshooting the Kerberos protocol.
!! Make sure that the clocks are synchronized across the [Kerberos Realm].
Many network services, including Kerberos authentication are dependent on time synchronization throughout [Kerberos Realm].
There are some commands you can use to [Verify Time is Synchronized].
!! [Troubleshooting Kerberos SPN]
Often, you will find your service attempts to use [kerberos] authentication which fails and then the service falls-back to [NTLM]. The typical reason is that there is a failure for obtaining a [Client-To-Server Ticket] due to not finding the correct Service form the provided [SPN].
!! Windows [{$pagename}]
We found this guide [Troubleshooting Kerberos Errors|https://docs.google.com/a/willeke.com/document/d/17NATbvsoKc2-XAGEwFG27LUC9ow_DM2jQMbrKfxlVww/edit?pli=1|target='_blank'] to be extensive in [{$pagename}] on Windows. The [guide|https://docs.google.com/a/willeke.com/document/d/17NATbvsoKc2-XAGEwFG27LUC9ow_DM2jQMbrKfxlVww/edit?pli=1|target='_blank'] may also be helpful when [{$pagename}] for other platforms.
!! [Kerberos Error Codes]
[Kerberos Error Codes] shows the responses from [{$pagename}] that a client might observe.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop