Troubleshoot access to a Kerberized application

How to make sure your Kerberized applications are accessible.

Before you begin

Learn more about Kerberized applications. See Forward Kerberos ticket-granting ticket to application.

When a user tries to access an application and receives a directory service error 553, there is an issue with EAA obtaining the Kerberos ticket-granting ticket (TGT). To learn more about this error and other HTTP response codes see Application response codes, login events, and errors.

This is most commonly caused by an incorrect service principal name (SPN) configuration. An SPN is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer.

How to

  1. Make sure the Kerberos Key Distribution Center (KDC) is reachable from the EAA connector. The EAA connector uses the DNS service record to resolve the KDC for the obtaining tickets. The DNS server used by the connector must be able to resolve the KDC service records such as, __kerberos.tcp.<domain-name>, for both the user’s and the service's Kerberos domains.
  2. Make sure the firewall rules allow reachability to ports 88 and the LDAP/LDAPS ports from the connector.
  3. Make sure the clock for the EAA connector and the KDC are synchronized. Connectors rely on Ubuntu time servers to sync clocks. If the KDC runs on a different clock internally, you need to manually change the network time protocol (NTP) source on the agent to an NTP service that is used by the KDC.
  4. Make sure the service principal name (SPN) is discoverable by the KDC. Review the application’s advanced settings fields for accuracy and make changes as needed. For more information about the domain fields see Forward Kerberos ticket-granting ticket to application. Issues are commonly found with the information entered into these fields:
    1. Application-facing Authentication Mechanism. Verify that Kerberos is selected.
    2. Forward Kerberos Ticket-Granting Ticket to App. Verify that the checkbox is selected.
    3. Application authentication domain. Verify that the internal hostname is correct.
    4. Service Principal Name. Make sure that the SPN in this field is same as the SPN configured in the Active Directory (AD) account.
  5. Make sure the SPN of the internal application uses the following schema for generating the SPN for the application: <service-protocol>/<service-fqdn>:<service-port>@<service-domain>.
    • If the service protocol is HTTP or HTTPS, then use HTTP
    • If service port is a standard port, then omit the port.
      Example of SPN format
  6. Verify the KDC is not experiencing policy errors. The KDC may reject requests due to policy restrictions.
    1. Determine the root cause. Examine the KDC logs.
    2. Expand the scope of the policy to allow authentication requests from the EAA connector.

Next steps

If you need to continue troubleshooting, see Troubleshooting overview and tips.