Reset Search
 

 

Article

KB17804 - Kerberos SSO (Single Sign on) not working for Web Resource(s)

« Go Back

Information

 
Last Modified Date8/2/2015 10:02 PM
Synopsis
Kerberos SSO (Single Sign on) not working for Web Resource(s)
Problem or Goal
Kerberos SSO is not working for Web Resource eg: OWA through PCS.  When you click on OWA resource bookmark, you get a yellow page for user credentials. SSO works fine with NTLM; however, if only Kerberos SSO is enabled, then it is not working and the following error is reported:  " Server not found in Kerberos database".

In User Access log :
Minor ERR24617 YYYY-MM-DD HH:MM:SS - ive - [IP Address] <USERNAME>(xxxx)[xxxx] - Fetch Kerberos TGS for user <USERNAME>, TGT user <USERNAME>, realm Domain.com, host abc.domain.com failed: Fetch TGS fetch error: Server not found in Kerberos database

Info WEB24618 YYYY-MM-DD HH:MM:SS - ive - [IP Address] USERNAME>(xxxx)[xxxx] - Web SSO: Fetched Kerberos TGT Ticket Client: <username>@domain.com, Server: krbtgt/Domain.com@Domain.com, auth MM/DD/YY HH:MM:SS, start MM/DD/YY HH:MM:SS, end MM/DD/YY HH:MM:SS, renew MM/DD/YY HH:MM:SS, current MM/DD/YY HH:MM:SS
Cause
Solution
REASON

"Server not found in Kerberos database" can come if the KDC(Key Distribution Center) could not translate the SPN (Server Principal Name) from the KDC request into an account in the Active Directory. This generally happens due to multiple SPN created for the service on domain controller.


RESOLUTION

Check if multiple SPNs exist for a service.  Perform the following on the domain controller to find and delete duplicate SPNs:
  1. Run "setspn -x" command.

C:\>setspn -x
Processing entry 0
HTTP/DC.Domain.COM is registered on these accounts:
CN=User1,OU=Org OU,DC=Domain,DC=COM
CN=DC,OU=Domain Controllers,DC=Domain,Dc=COM


Found 1 groups of duplicate SPNs.
 
  • To delete duplicate SPN run following command:

c:\setspn -D HTTP/User1 User1
 
  • Run "setspn -x" command again to verify that the duplicate SPN was removed.

Note: Once a duplicate SPN is deleted, "setspn -x" command should not show any content for the HTTP service.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255