Troubleshooting Kerberos Configuration

The first step in troubleshooting issues with Windows Authentication – Kerberos is to increase the logging level for the MSS authentication service. Follow these steps:

  1. Edit the <install-dir>/mss/server/microservices/auth-service/service.yml file and add this to the env section:

    - name: authsvc.logging.level 
  value: DEBUG

  2. Restart the server

If you are troubleshooting a cluster of MSS servers, we recommend that you increase the logging level on all servers in the cluster.

Once debug logging is enabled, you can find the log output for Kerberos and OAuth operations in <install-directory>/mss/server/logs/auth-service/auth-service-osp.*.log.

Other general information for the MSS authentication service is logged to the auth-service.log file in the same location.

Issue

 Possible cause

User is prompted for credentials

  • The client machine is not a member of the Active Directory domain

  • The user has not logged onto the client machine with the credentials of a user in the Active Directory domain

  • The browser (Internet Options) has not been configured for Kerberos

  • The necessary SPN has not been added to the KDC service account

User encounters the error message: “Unable to complete request at this time”

  • LDAP is misconfigured

  • The keytab file created for the service account on the KDC is not valid

User encounters the error message: XDAS_OUT_POLICY_VIOLATION

  • The proxy interface properties are not properly configured when the MSS server is behind a reverse proxy or load balancer

User encounters the error message: “This site cannot be reached”

  • The auth service is not running or has not been enabled

  • Check the service.yml to verify that the enabled setting is set to true

Authentication takes a long time

  • LDAP is configured with the standard LDAP port. Instead, configure LDAP with the global catalog port (such as 3268)

Reflection Desktop displays a “connection failed” error when trying to open a session

  • Reflection Desktop must have Centralized Management configured to access the MSS server using HTTPS

  • And, the certificate of the MSS server must be trusted by the Windows Trusted Root Certification Authorities store