Overview#

Some Troubleshooting help for Kerberos

Try these Yes/No Steps#

Can the user's computer get a Kerberos ticket#

To verify if the user's computer can get a Kerberos ticket for the desired service you can run the programs klist, kinit and kdestroy. These programs can be run from the command line and are included in the MIT Kerberos client.

C:\Program Files\MIT\Kerberos\bin>klist 
Ticket cache: MSLSA: 
Default principal: user1@YOURDOMAIN.COM 
Valid starting		Expires 	  Service principal 
04/21/09 17:36:33 	04/22/09 03:36:33 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM  
	renew until 04/28/09 17:36:33 

C:\Program Files\MIT\Kerberos\bin>kinit -S HTTP/thehost.yourdomain.com 
Password for user1@YOURDOMAIN.COM: 

C:\Program Files\MIT\Kerberos\bin>klist 
Ticket cache: MSLSA: 
Default principal: user1@YOURDOMAIN.COM 
Valid starting 		Expires 	  Service principal 
04/21/09 17:36:47 	04/22/09 03:36:47 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
	renew until 04/28/09 17:36:47 
04/21/09 17:36:47 	04/22/09 03:36:47 HTTP/thehost.yourdomain.com@YOURDOMAIN.COM  
	renew until 04/28/09 17:36:47  

C:\Program Files\MIT\Kerberos\bin>kdestroy

C:\Program Files\MIT\Kerberos\bin>klist
Ticket cache: MSLSA:
Default principal: user1@YOURDOMAIN.COM

Valid starting		Expires            Service principal
04/22/09 16:39:39	04/23/09 02:39:39  krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
       renew until 04/29/09 16:39:39

• If the user's computer can not get a ticket for the desired host or saw the error "Server not found in Kerberos database" then there maybe a duplicate SPN configured for the desired host. This issue can be diagnosed by running ldifde or setspn.exe. This duplicate spn troubleshooting document gives detailed info on how to diagnose this issue.

The configuration steps were not run properly to add the Google Search Appliance as service to the domain. Make sure that the steps listed in the Enrolling the Search Appliance in the KDC Domain and Creating a Keytab File were run correctly.

Make sure that required services and servers are available.#

The Kerberos authentication protocol requires a functioning:

• KDC (ie domain controller
• Domain Name System (DNS) infrastructure
• network

in order to work properly. Verify that you can access these resources before you begin troubleshooting the Kerberos protocol.

Make sure that the clocks are synchronized across the Kerberos Realm.#

Many network services, including Kerberos authentication are dependent on time synchronization throughout Kerberos Realm.

There are some commands you can use to Verify Time is Synchronized.

Troubleshooting Kerberos SPN #

Often, you will find your service attempts to use kerberos authentication which fails and then the service falls-back to NTLM. The typical reason is that there is a failure for obtaining a Client-To-Server Ticket due to not finding the correct Service form the provided SPN.

Windows Troubleshooting Kerberos#

We found this guide Troubleshooting Kerberos Errors to be extensive in Troubleshooting Kerberos on Windows. The guide may also be helpful when Troubleshooting Kerberos for other platforms.

Kerberos Error Codes#

Kerberos Error Codes shows the responses from Troubleshooting Kerberos that a client might observe.

More Information#

There might be more information for this subject on one of the following:

• Kerberos
• Troubleshooting