Overview#
Some Troubleshooting help for KerberosTry these Yes/No Steps#
Can the user's computer get a Kerberos ticket#
To verify if the user's computer can get a Kerberos ticket for the desired service you can run the programs klist, kinit and kdestroy. These programs can be run from the command line and are included in the MIT Kerberos client.C:\Program Files\MIT\Kerberos\bin>klist Ticket cache: MSLSA: Default principal: user1@YOURDOMAIN.COM Valid starting Expires Service principal 04/21/09 17:36:33 04/22/09 03:36:33 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM renew until 04/28/09 17:36:33 C:\Program Files\MIT\Kerberos\bin>kinit -S HTTP/thehost.yourdomain.com Password for user1@YOURDOMAIN.COM: C:\Program Files\MIT\Kerberos\bin>klist Ticket cache: MSLSA: Default principal: user1@YOURDOMAIN.COM Valid starting Expires Service principal 04/21/09 17:36:47 04/22/09 03:36:47 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM renew until 04/28/09 17:36:47 04/21/09 17:36:47 04/22/09 03:36:47 HTTP/thehost.yourdomain.com@YOURDOMAIN.COM renew until 04/28/09 17:36:47 C:\Program Files\MIT\Kerberos\bin>kdestroy C:\Program Files\MIT\Kerberos\bin>klist Ticket cache: MSLSA: Default principal: user1@YOURDOMAIN.COM Valid starting Expires Service principal 04/22/09 16:39:39 04/23/09 02:39:39 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM renew until 04/29/09 16:39:39
- If the user's computer can not get a ticket for the desired host or saw the error "Server not found in Kerberos database" then there maybe a duplicate SPN configured for the desired host. This issue can be diagnosed by running ldifde or setspn.exe. This duplicate spn troubleshooting document gives detailed info on how to diagnose this issue.
Make sure that required services and servers are available.#
The Kerberos authentication protocol requires a functioning:- KDC (ie domain controller
- Domain Name System (DNS) infrastructure
- network
Make sure that the clocks are synchronized across the Kerberos Realm.#
Many network services, including Kerberos authentication are dependent on time synchronization throughout Kerberos Realm.There are some commands you can use to Verify Time is Synchronized.
Troubleshooting Kerberos SPN #
Often, you will find your service attempts to use kerberos authentication which fails and then the service falls-back to NTLM. The typical reason is that there is a failure for obtaining a Client-To-Server Ticket due to not finding the correct Service form the provided SPN.Windows Troubleshooting Kerberos#
We found this guide Troubleshooting Kerberos Errors
