<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
Some [Troubleshooting] help for [Kerberos]

!! Try these Yes/No Steps
! Can the user's computer get a Kerberos ticket
To verify if the user's computer can get a Kerberos ticket for the desired service you can run the programs [klist], [kinit] and [kdestroy]. These programs can be run from the command line and are included in the MIT Kerberos client.

{{{
C:\Program Files\MIT\Kerberos\bin&gt;klist 
Ticket cache: MSLSA: 
Default principal: user1@YOURDOMAIN.COM 
Valid starting		Expires 	  Service principal 
04/21/09 17:36:33 	04/22/09 03:36:33 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM  
	renew until 04/28/09 17:36:33 

C:\Program Files\MIT\Kerberos\bin&gt;kinit -S HTTP/thehost.yourdomain.com 
Password for user1@YOURDOMAIN.COM: 

C:\Program Files\MIT\Kerberos\bin&gt;klist 
Ticket cache: MSLSA: 
Default principal: user1@YOURDOMAIN.COM 
Valid starting 		Expires 	  Service principal 
04/21/09 17:36:47 	04/22/09 03:36:47 krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
	renew until 04/28/09 17:36:47 
04/21/09 17:36:47 	04/22/09 03:36:47 HTTP/thehost.yourdomain.com@YOURDOMAIN.COM  
	renew until 04/28/09 17:36:47  

C:\Program Files\MIT\Kerberos\bin&gt;kdestroy

C:\Program Files\MIT\Kerberos\bin&gt;klist
Ticket cache: MSLSA:
Default principal: user1@YOURDOMAIN.COM

Valid starting		Expires            Service principal
04/22/09 16:39:39	04/23/09 02:39:39  krbtgt/YOURDOMAIN.COM@YOURDOMAIN.COM
       renew until 04/29/09 16:39:39

}}}
* If the user's computer can not get a ticket for the desired host or saw the error &quot;Server not found in Kerberos database&quot; then there maybe a duplicate SPN configured for the desired host. This issue can be diagnosed by running ldifde or [setspn.exe]. This duplicate spn troubleshooting document gives detailed info on how to diagnose this issue.
The configuration steps were not run properly to add the Google Search Appliance as service to the domain. Make sure that the steps listed in the Enrolling the Search Appliance in the KDC Domain and Creating a Keytab File were run correctly.!! Make sure that required services and servers are available.
The [Kerberos] authentication protocol requires a functioning:
* [KDC] (ie domain controller
* Domain Name System (DNS) infrastructure
* network 
in order to work properly. Verify that you can access these resources __before you begin__ troubleshooting the Kerberos protocol.

!! Make sure that the clocks are synchronized across the [Kerberos Realm].
Many network services, including Kerberos authentication are dependent on time synchronization throughout [Kerberos Realm]. 

There are some commands you can use to [Verify Time is Synchronized].

!! [Troubleshooting Kerberos SPN] 
Often, you will find your service attempts to use [kerberos] authentication which fails and then the service falls-back to [NTLM]. The typical reason is that there is a failure for obtaining a [Client-To-Server Ticket] due to not finding the correct Service form the provided [SPN]. 
!! Windows [{$pagename}]
We found this guide [Troubleshooting Kerberos Errors|https://docs.google.com/a/willeke.com/document/d/17NATbvsoKc2-XAGEwFG27LUC9ow_DM2jQMbrKfxlVww/edit?pli=1|target='_blank'] to be extensive in [{$pagename}] on Windows. The [guide|https://docs.google.com/a/willeke.com/document/d/17NATbvsoKc2-XAGEwFG27LUC9ow_DM2jQMbrKfxlVww/edit?pli=1|target='_blank'] may also be helpful when [{$pagename}] for other platforms.

!! [Kerberos Error Codes]
[Kerberos Error Codes] shows the responses from [{$pagename}] that a client might observe.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }] 
</pre>