SMB SSL-VPN: Error "Failure in kerberos: Client not found in Kerberos database"
03/26/2020 8 12855
DESCRIPTION: AD users are able to authenticate and connect to the appliance, but when we check the logs we see the below error message every time a user authenticates
Failure in kerberos_kinit_password: Client not found in Kerberos database
Step 1:-1765328360 Preauthentication failed The appliance does support preauthentication, but this error will occur if there are other issues that cause a preauthentication failure. You should disable preauthentication for the user in Active Directory.
Step 2:-1765328353 Decrypt integrity check failed This means that the encryption key stored in the keytab doesn't match the key stored in the KDC for the principal. You should first reset the GSAs account password in Active Directory and then run ktpass again and verify that the password is entered correctly. We have also found that deleting and recreating the GSA user in Active Directory and following the entire user setup and ktpass registeration commands solves this problem.
Step 3:-1765328378 Client not found in Kerberos database This means that the principal specified in the keytab was either not found in Active Directory or it was found multiple times. The principal name used in the keytab must match the userPrincipalName entry in ActiveDirectory for only the user account. You can verify the principal name in the keytab by running the klist command: klist -k
Verify your content server supports Kerberos
Please verify your content server is using Kerberos (and not just NTLM). To verify Kerberos is used, go directly to the URL of a secure page on the content server using one of the header capturing browser extensions. The HTTP server should return the WWW-Authenticate: Negotiate HTTP header. If the HTTP server does not return the header, then it likely does not support Kerberos.
Verify your browser supports Kerberos
Your browser also must respond back to the content servers "Negotiate" challenge with a kerberos token embedded in the response (the response should be in the form "Authorization: Negotiate YIIFRwYG...." and not "Authorization: Negotiate TRIM..."). You can also use the MIT Kerberos client to verify kerberos.
How to Test:
Enable require Kerberos preauthentication on AD Login to portal using Domain Credentials
1. Log in to Active Directory with Admin privilege
2. Select the user right click
3.Now click on Properties > Account tab
4. Under account options make sure "Do not require kerberos preauthentication" is enabled so that you no longer get the kerberos log messages on the SRA appliance.