Verify the Basic Configurations
Perform the following checks to verify that the basic configurations are accurate:
- Ensure that the following ACO parameters are correctly configured:
- HttpServicePrincipalEnsure that the value is in theHTTP/format. In web_server_name, enter the name of the web server that is used by the HTTP user agent. If there are multiple web servers behind a load balancer, enter the name of the load balancer.web_server_name@kerberos_realm
- KCCExtEnsure that the extension value is.kcc.
- SmpsServicePrincipalEnsure that the value is in thesmps@.policy_server_name
For information about these ACO parameters, see Policy Server Configuration for Kerberos Authentication. - In the Kerberos authentication scheme, verify that the value ofPrincipal Nameis same as theSmpsServicePrincipalACO parameter value.For information about the authentication scheme configuration, see Policy Server Configuration for Kerberos Authentication.
- Synchronize the Policy Server system clocks (within 2 minutes) to the KDC system clock. Otherwise, Kerberos authentication fails because of clock skew errors.
- Verify that all the hosts have suitable entries in the DNS or in the /etc/hosts file. Each entry in the hosts file must contain an IP addresses, fully-qualified domain name (FQDN) and host name. The order of these entries matters in some cases. Separate multiple entries by a single space.IP_addressFQDN hostname
- View Kerberos tokens that are exchanged between the browser and web server by installing any network packet trace utility on the workstation. The token starting with TIR indicates NTLM tokens, and tokens starting with YII denote the Kerberos tokens.
- Enable the Policy Server and the Web Agent logs to record the authentication error messages.Set theKRB5_TRACEenvironment variable to enable Kerberos logging. Define the name and path of the log file in the environment variable.
- Ensure that you configure theKRB5RCACHETYPEparameter to avoid Policy Server andAccess Gatewaycrashes.WindowsAddKRB5RCACHETYPEas environment variable and set its value tonone.UNIXSetKRB5RCACHETYPEenvironment variable asnoneand export it.
- Log off the workstation host after any change in encryption type at the KDC.