Troubleshooting > Kerberos troubleshooting

Kerberos troubleshooting

If you are having trouble with SSO using your Windows logon, the first thing to check is that all clocks involved are set. Authentication Service, the KDC, and your local desktop all have to be synchronized. Use an NTP server to make sure they are all within a minute of each other. Open up a command window and run:

net time /set

If clocks are not the issue, you may have a problem with:

the setup of the KDC

Active Directory

your local desktop setup.

You can use Kerbtray from Microsoft to validate that you are receiving a valid Kerberos ticket from your KDC:

http://www.microsoft.com/downloads/details.aspx?familyid=4E3A58BE-29F6-49F6-85BE-E866AF8E7A88&displaylang=en

After attempting to log on to Authentication Service, you should have a Kerberos ticket in the list that matches the Authentication Service URL. If you don't, it could be because:

the KDC didn't distribute a ticket. Check you logged on to the correct domain, rather than just locally to your desktop.

your system rejected the ticket. The most common reason for this is incompatibility with encryption types.

This screen can also be used for further diagnostics. You could double-check the following:

Verify all names and targets on the Names tab match the WindowsDesktopSSO configuration in Authentication Service.

Make sure the time stamps for the Kerberos ticket that matches your Authentication Service is current. Invalid times could indicate mis-configuration of your KDC.

If using the older DES encryption, you will need to make sure all systems allow for it, as some service packs and operating systems from Microsoft have removed support for DES.

 

 

Troubleshooting > Kerberos troubleshooting