KB17804 - Kerberos SSO (Single Sign on) not working for Web Resource(s)

Kerberos SSO (Single Sign on) not working for Web Resource(s)

Kerberos SSO is not working for Web Resource eg: OWA through PCS.  When you click on OWA resource bookmark, you get a yellow page for user credentials. SSO works fine with NTLM; however, if only Kerberos SSO is enabled, then it is not working and the following error is reported:  " Server not found in Kerberos database".

In User Access log :
Minor ERR24617 YYYY-MM-DD HH:MM:SS - ive - [IP Address] <USERNAME>(xxxx)[xxxx] - Fetch Kerberos TGS for user <USERNAME>, TGT user <USERNAME>, realm Domain.com, host abc.domain.com failed: Fetch TGS fetch error: Server not found in Kerberos database

Info WEB24618 YYYY-MM-DD HH:MM:SS - ive - [IP Address] USERNAME>(xxxx)[xxxx] - Web SSO: Fetched Kerberos TGT Ticket Client: <username>@domain.com, Server: krbtgt/[email protected], auth MM/DD/YY HH:MM:SS, start MM/DD/YY HH:MM:SS, end MM/DD/YY HH:MM:SS, renew MM/DD/YY HH:MM:SS, current MM/DD/YY HH:MM:SS

REASON

"Server not found in Kerberos database" can come if the KDC(Key Distribution Center) could not translate the SPN (Server Principal Name) from the KDC request into an account in the Active Directory. This generally happens due to multiple SPN created for the service on domain controller.


RESOLUTION

Check if multiple SPNs exist for a service.  Perform the following on the domain controller to find and delete duplicate SPNs:

1. Run "setspn -x" command.

C:\>setspn -x
Processing entry 0
HTTP/DC.Domain.COM is registered on these accounts:
CN=User1,OU=Org OU,DC=Domain,DC=COM
CN=DC,OU=Domain Controllers,DC=Domain,Dc=COM

Found 1 groups of duplicate SPNs.
 

• To delete duplicate SPN run following command:

c:\setspn -D HTTP/User1 User1
 

• Run "setspn -x" command again to verify that the duplicate SPN was removed.

Note: Once a duplicate SPN is deleted, "setspn -x" command should not show any content for the HTTP service.