Failure in kerberos_kinit_password: Client not found in Kerberos database
03/26/2020 
19 
16387
DESCRIPTION:
AD users are able to authenticate and connect to the appliance, but when we check the logs we see the below error message every time a user authenticates
Failure in kerberos_kinit_password: Client not found in Kerberos database
RESOLUTION:
Step 1:-1765328360 Preauthentication failed
The appliance does support preauthentication, but this error will occur if there are other issues that cause a preauthentication failure. You should disable preauthentication for the user in Active Directory.
Step 2:-1765328353 Decrypt integrity check failed
This means that the encryption key stored in the keytab doesn't match the key stored in the KDC for the principal. You should first reset the GSAs account password in Active Directory and then run ktpass again and verify that the password is entered correctly. We have also found that deleting and recreating the GSA user in Active Directory and following the entire user setup and ktpass registeration commands solves this problem.
Step 3:-1765328378 Client not found in Kerberos database
This means that the principal specified in the keytab was either not found in Active Directory or it was found multiple times. The principal name used in the keytab must match the userPrincipalName entry in ActiveDirectory for only the user account. You can verify the principal name in the keytab by running the klist command: klist -k
Additional Information:
- Verify your content server supports Kerberos
Please verify your content server is using Kerberos (and not just NTLM). To verify Kerberos is used, go directly to the URL of a secure page on the content server using one of the header capturing browser extensions. The HTTP server should return the WWW-Authenticate: Negotiate HTTP header. If the HTTP server does not return the header, then it likely does not support Kerberos.
- Verify your browser supports Kerberos
Your browser also must respond back to the content servers "Negotiate" challenge with a kerberos token embedded in the response (the response should be in the form "Authorization: Negotiate YIIFRwYG...." and not "Authorization: Negotiate TRIM..."). You can also use the MIT Kerberos client to verify kerberos.
How to Test:
Enable require Kerberos preauthentication on AD
Login to portal using Domain Credentials
Troubleshooting:
1.Log in to Active Directory with Admin privilege
2.Select the user right click
3.Now click on Properties > Account tab
4. Under account options make sure "Do not require kerberos preauthentication" is enabled so that you no longer get the kerberos log messages on the SRA appliance.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
