Troubleshoot access to a Kerberized application
How to make sure your Kerberized applications are accessible.
Before you begin
This is most commonly caused by an incorrect service principal name (SPN) configuration. An SPN is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer.
Make sure the Kerberos Key
Distribution Center (KDC) is reachable from the EAA connector. The EAA
connector uses the DNS service record to resolve the KDC for the obtaining
tickets. The DNS server used by the connector must be able to resolve the KDC
service records such as,
__kerberos.tcp.<domain-name>, for both the user’s and the service's Kerberos domains.
- Make sure the firewall rules allow reachability to ports 88 and the LDAP/LDAPS ports from the connector.
- Make sure the clock for the EAA connector and the KDC are synchronized. Connectors rely on Ubuntu time servers to sync clocks. If the KDC runs on a different clock internally, you need to manually change the network time protocol (NTP) source on the agent to an NTP service that is used by the KDC.
Make sure the service principal name (SPN) is discoverable by the KDC.
Review the application’s advanced settings fields for accuracy and make changes
as needed. For more information about the domain fields see Forward Kerberos ticket-granting ticket to application. Issues are commonly found with the information entered into
- Application-facing Authentication Mechanism. Verify that Kerberos is selected.
- Forward Kerberos Ticket-Granting Ticket to App. Verify that the checkbox is selected.
- Application authentication domain. Verify that the internal hostname is correct.
- Service Principal Name. Make sure that the SPN in this field is same as the SPN configured in the Active Directory (AD) account.
Make sure the SPN of the internal application uses the following schema for
generating the SPN for the application:
- If the service protocol is HTTP or HTTPS, then use HTTP
- If service port is a standard port, then omit the port.
Verify the KDC is not experiencing policy errors. The KDC may reject
requests due to policy restrictions.
- Determine the root cause. Examine the KDC logs.
- Expand the scope of the policy to allow authentication requests from the EAA connector.