Troubleshoot Kerberos Authentication Setup

Consider the following items when working with Kerberos authentication:
Consider the following items when working with Kerberos authentication:
System Setup and Monitoring Considerations
  • Synchronize the Policy Server system clocks (within 2 minutes) to the KDC system clock. Otherwise, Kerberos authentication fails because of clock skew errors.
  • Verify that all the hosts have suitable entries in the DNS or in the /etc/hosts file. Each entry in the hosts file must contain an IP addresses, fully-qualified domain name (FQDN) and host name. The order of these entries matters in some cases. Separate multiple entries by a single space.
    FQDN hostname
  • View Kerberos tokens that are exchanged between the browser and web server by installing any network packet trace utility on the workstation. The token starting with TIR indicates NTLM tokens, and tokens starting with YII denote the Kerberos tokens.
  • Always enable the Policy Server and the Web Agent logs to record the authentication error messages.
  • Log off the workstation host after any change in encryption type at the KDC. 
Client Utilities to Manage the Kerberos Environment
(For client applications connecting only to a UNIX KDC only)
Use klist to list the contents of a keytab file. It also lists the Kerberos tickets held in a credentials cache, or the keys held in a keytab file. The flag 
provides information about tickets flags. These tickets are forwarded to complete the Kerberos authentication process. 
The following text is a sample of a klist output:
bash-2.05$ klist Ticket cache: /tmp/krb5cc_1002 Default principal: HTTP/[email protected] Valid starting Expires Service principal Mon Dec 22 15:00:03 2014 Mon Dec 22 21:40:03 2014 krbtgt/[email protected]
Use the kinit program to obtain and cache an initial ticket-granting ticket for the user and service principal at the UNIX KDC host and KDC client. 
The kinit syntax for the user principal is:
This command prompts for the password used while creating the user principal.
The kinit syntax (it can vary from host to host) for service principal is:
kinit -k [-t
specifies the location of the keytab file that contains the service principal name.
is the name of the service principal 
The kinit command does not prompt for a password because it uses a keytab file to authenticate the service principal.
  • Install any network packet trace utility on the workstation to see the Kerberos tokens exchanged between the browser and web server. The token starting with TIR indicates NTLM tokens, and tokens starting with YII denote the Kerberos tokens.
Verify the version of ktpass utility. The ktpass command tool utility is included in the Windows support tools and can be installed from MSDN download.
Confirm the key version number (kvno). The kvno of the service principal must match the kvno of its keytab file. The kvno number of any keytab is displayed when it is created.
To determine the version number of a service account for Windows Active Directory, use the ADSI Edit as follows:
  1. Run adsiedit.msc from command prompt.
  2. Go to service account, under CN=Users, DC=domain, DC=com under drop-down Domain (fqdn_ADhost) at the left.
  3. Right-click the service account and click properties.
  4. Verify the value of the msDs-KeyVersionNumber attribute, which matches the one shown while creating the keytab file for the service account.
The kvno for any user account changes every time that its password is changed. If the version numbers do not match, create an account and keytab, or change the password to match the kvno to the kvno of the keytab.
To determine the version number of a service account for a UNIX MIT KDC, enter the following command:
Keytab Issues
  • Verify that the name and location of keytab file for any host matches what is specified in the krb5.conf file.
  • The krb5.keytab files for the Policy Server and the web server/Web Agent hosts must contain the host and service principal names.
  • Always confirm the encryption type that is used while creating the keytab file. Windows by default supports RC4-HMAC encryption.
  • Restart the Policy Server and web server services after any changes are made to the Kerberos configuration or the keytab files. 
  • Verify that the keytab file is valid:
    Verify whether the keytab file is valid. Use the Windows support tools on the Policy Server and Web Agent. Run the following command:
    kinit -k -t 
    For example:
    kinit -k -t C:\Windows\webserver.keytab HTTP/[email protected]
    This command returns no error when the keytab file is valid.
    Verify that the keytab files on the Policy Server and Web Agent are valid by running the following commands:
    kinit -k -t 
    For example:
    kinit -k -t krbsvc-smps.keytab smps/[email protected]
    kinit -k -t krbsv-smwa.keytab HTTP/[email protected]
    If you get no errors, keytab files are fine, and the krb.conf file has valid values. If you get an error, verify that the SPN is valid in the KDC using the following command:
    kinit host/
    This command usually asks for password. If you provide a valid password, you do not get an error message. If this command does not ask for password, the SPN was not identified. Check the property of that object. The SPN entry is on the Account tab, for example, 
    . Verify that no other object has the same entry set as SPN.
Resolve KDC Support for Encryption Type
If the Kerberos Authentication setup on Linux fails on Linux with the following error message:
kinit: KDC has no support for encryption type while getting initial credentials
Do the following:
  • Verify if the KDC settings has restricted any specific encryption types.
  • Verify that the service account has "Use Kerberos DES encryption types for this account" checked. This will restrict the services account only to use DES encryption type. Uncheck this option option to support any encryption type.
For more detailed troubleshooting information, see the Kerberos Troubleshooting article in CA Communities.