- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Failure in kerberos_kinit_password: Client not found in Kerberos database
03/26/2020 
20 People found this article helpful
101,280 Views
Description
AD users are able to authenticate and connect to the appliance, but when we check the logs we see the below error message every time a user authenticates
Failure in kerberos_kinit_password: Client not found in Kerberos database
Resolution
Step 1:-1765328360 Preauthentication failed
The appliance does support preauthentication, but this error will occur if there are other issues that cause a preauthentication failure. You should disable preauthentication for the user in Active Directory.
Step 2:-1765328353 Decrypt integrity check failed
This means that the encryption key stored in the keytab doesn't match the key stored in the KDC for the principal. You should first reset the GSAs account password in Active Directory and then run ktpass again and verify that the password is entered correctly. We have also found that deleting and recreating the GSA user in Active Directory and following the entire user setup and ktpass registeration commands solves this problem.
Step 3:-1765328378 Client not found in Kerberos database
This means that the principal specified in the keytab was either not found in Active Directory or it was found multiple times. The principal name used in the keytab must match the userPrincipalName entry in ActiveDirectory for only the user account. You can verify the principal name in the keytab by running the klist command: klist -k
Additional Information:
- Verify your content server supports Kerberos
Please verify your content server is using Kerberos (and not just NTLM). To verify Kerberos is used, go directly to the URL of a secure page on the content server using one of the header capturing browser extensions. The HTTP server should return the WWW-Authenticate: Negotiate HTTP header. If the HTTP server does not return the header, then it likely does not support Kerberos.
- Verify your browser supports Kerberos
Your browser also must respond back to the content servers "Negotiate" challenge with a kerberos token embedded in the response (the response should be in the form "Authorization: Negotiate YIIFRwYG...." and not "Authorization: Negotiate TRIM..."). You can also use the MIT Kerberos client to verify kerberos.
How to Test:
Enable require Kerberos preauthentication on AD
Login to portal using Domain Credentials
Troubleshooting:
1.Log in to Active Directory with Admin privilege
2.Select the user right click 
3.Now click on Properties > Account tab
4. Under account options make sure "Do not require kerberos preauthentication" is enabled so that you no longer get the kerberos log messages on the SRA appliance.
Related Articles
- CT with Device Guard is stuck on Identifying when GVC Client is installed
- SMA1000: CT compatibility with 3rd party VPN clients like GVC, Citrix and Fortinet
- How can I upgrade firmware in SMA 1000 series appliance?
YES
NO