Verify the Policy Server Configuration

Enable the trace log to help troubleshoot Kerberos authentication problems.

Check Kerberos Configuration File

Check the Kerberos configuration file as described in Verify the Web Agent Configuration.

Check Keytab File

  • Check the keytab file as described in Verify the Web Agent Configuration.
  • Check that these principal names match exactly:
    • Policy server keytab
    • Authentication scheme principal name
  • Check that the server portion of the principal name matches the SmpsServicePrincipal ACO parameter.

Check Policy Server Authentication to KDC

When the Web Agent sends a first request with the smps service ticket to the Policy Server, the Policy Server authenticates to the KDC using the credentials that are stored in the keytab file.
Check for successful AS-REQ/AS-REP messages between the policy server machine and the KDC. This phase is called "obtaining initial credentials" where the policy server, using the saved credentials in the keytab file, authenticates to the KDC and acquires a TGT (ticket granting ticket).
Check that the key version number in the AS-REP message matches the key version number in the TGS-REP message that sent to the Web Agent when requesting an smps service ticket.

Check Client User is Authenticated

Check the trace log to see if the user was successfully authenticated. If the user is not authenticated, verify that the User DN Lookup setting is correct in the authentication scheme. If the user is authenticated, then the Web Agent must set SMSESSION in the HTTP 302 response that is sent to the Client, redirecting the web browser to the Kerberos-protected resource.

Check Client User is Authorized

Check that the Client user can access the Kerberos-protected resource. If the Client user is authenticated and receives a session cookie but still cannot access the Kerberos-protected resource, then check that the user account is included in the policy that grants access to the resource.

Resolve KDC Support for Encryption Type

If the Kerberos Authentication setup on Linux fails on Linux with the following error message:
kinit: KDC has no support for encryption type while getting initial credentials
Do the following:
  • Verify if the KDC settings has restricted any specific encryption types.
  • Verify that the service account has "Use Kerberos DES encryption types for this account" checked. This will restrict the services account only to use DES encryption type. Uncheck this option to support any encryption type.