Verify the Basic Configurations

Perform the following checks to verify that the basic configurations are accurate:
  • Ensure that the following ACO parameters are correctly configured:
    1. HttpServicePrincipal
      Ensure that the value is in the
      HTTP/
      web_server_name
      @
      kerberos_realm
      format. In web_server_name, enter the name of the web server that is used by the HTTP user agent. If there are multiple web servers behind a load balancer, enter the name of the load balancer.
    2. KCCExt
      Ensure that the extension value is
      .kcc
      .
    3. SmpsServicePrincipal
      Ensure that the value is in the
      smps@
      policy_server_name
      .
    For information about these ACO parameters, see Policy Server Configuration for Kerberos Authentication.
  • In the Kerberos authentication scheme, verify that the value of
    Principal Name
    is same as the
    SmpsServicePrincipal
    ACO parameter value.
    For information about the authentication scheme configuration, see Policy Server Configuration for Kerberos Authentication.
  • Synchronize the Policy Server system clocks (within 2 minutes) to the KDC system clock. Otherwise, Kerberos authentication fails because of clock skew errors.
  • Verify that all the hosts have suitable entries in the DNS or in the /etc/hosts file. Each entry in the hosts file must contain an IP addresses, fully-qualified domain name (FQDN) and host name. The order of these entries matters in some cases. Separate multiple entries by a single space.
    IP_address
    FQDN hostname
  • View Kerberos tokens that are exchanged between the browser and web server by installing any network packet trace utility on the workstation. The token starting with TIR indicates NTLM tokens, and tokens starting with YII denote the Kerberos tokens.
  • Enable the Policy Server and the Web Agent logs to record the authentication error messages.
    Set the
    KRB5_TRACE
    environment variable to enable Kerberos logging. Define the name and path of the log file in the environment variable.
  • Ensure that you configure the
    KRB5RCACHETYPE
    parameter to avoid Policy Server and
    Access Gateway
    crashes.
    Windows
    Add
    KRB5RCACHETYPE
    as environment variable and set its value to
    none
    .
    UNIX
    Set
    KRB5RCACHETYPE
    environment variable as
    none
    and export it.
  • Log off the workstation host after any change in encryption type at the KDC.