Symptoms
First, see How to analyze the log files to identify single-sign on (SSO) issues .
Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:
2022-04-20 07:35:58.452945 awingu awingu-worker-smc.service[manage.py:2067]: Process-1:3 processing cdsessions.tasks.refresh_sso_certificate [triple-jersey-carolina-white]
2022-04-20 07:35:58.480647 awingu awingu-worker-smc.service[python3:992]: Generating a RSA private key
2022-04-20 07:35:58.574126 awingu awingu-worker-smc.service[python3:992]: ...................................................+++++
2022-04-20 07:35:58.715677 awingu awingu-worker-smc.service[python3:992]: ......................................................................................................+++++
2022-04-20 07:35:58.715875 awingu awingu-worker-smc.service[python3:992]: writing new private key to 'private_key.pem'
2022-04-20 07:35:58.715993 awingu awingu-worker-smc.service[python3:992]: -----
2022-04-20 07:35:58.782389 awingu awingu-worker-smc.service[python3:992]: writing RSA key
2022-04-20 07:36:14.926654 awingu awingu-worker-smc.service[manage.py:2067]:
2022-04-20 07:36:14.927186 awingu awingu-worker-smc.service[manage.py:2067]: Using specified cache: /etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/kerberos/kerberos_credentials_cache
Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/certificate.pem,/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/private_key.pem
[21480] 1650440158.788887: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[21480] 1650440158.788889: Sending unauthenticated request
[21480] 1650440158.788890: Sending request (211 bytes) to SOMEDOMAIN.ORG
[21480] 1650440158.788891: Resolving hostname somedc.somedomain.org
[21480] 1650440158.788892: Sending initial UDP request to dgram 10.1.2.3:88
[21480] 1650440158.788893: Received answer (205 bytes) from dgram 10.1.2.3:88
[21480] 1650440158.788894: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[21480] 1650440158.788895: No URI records found
[21480] 1650440158.788896: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[21480] 1650440158.788897: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440158.788898: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[21480] 1650440158.788899: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440158.788900: Response was not from master KDC
[21480] 1650440158.788901: Received error from KDC: -1765328359/Additional pre-authentication required
[21480] 1650440158.788904: Preauthenticating using KDC method data
[21480] 1650440158.788905: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[21480] 1650440158.788906: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[21480] 1650440158.788907: PKINIT loading CA certs and CRLs from FILE
[21480] 1650440158.788908: PKINIT client computed kdc-req-body checksum 9/E806B715A04F29B42806750A1ABFD6CF386E0C48
[21480] 1650440158.788910: PKINIT client making DH request
[21480] 1650440158.788911: Preauth module pkinit (16) (real) returned: 0/Success
[21480] 1650440158.788912: Produced preauth for next request: PA-PK-AS-REQ (16)
[21480] 1650440158.788913: Sending request (4965 bytes) to SOMEDOMAIN.ORG
[21480] 1650440158.788914: Resolving hostname somedc.somedomain.org
[21480] 1650440158.788915: Initiating TCP connection to stream 10.1.2.3:88
[21480] 1650440159.864943: Sending initial UDP request to dgram 10.1.2.3:88
[21480] 1650440159.864944: Received answer (106 bytes) from dgram 10.1.2.3:88
[21480] 1650440159.864945: Terminating TCP connection to stream 10.1.2.3:88
[21480] 1650440159.864946: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[21480] 1650440159.864947: No URI records found
[21480] 1650440159.864948: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[21480] 1650440159.864949: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440159.864950: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[21480] 1650440159.864951: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440159.864952: Response was not from master KDC
[21480] 1650440159.864953: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[21480] 1650440159.864954: Request or response is too big for UDP; retrying with TCP
[21480] 1650440159.864955: Sending request (4965 bytes) to SOMEDOMAIN.ORG (tcp only)
[21480] 1650440159.864956: Resolving hostname somedc.somedomain.org
[21480] 1650440159.864957: Initiating TCP connection to stream 10.1.2.3:88
[21480] 1650440174.925076: Terminating TCP connection to stream 10.1.2.3:88
kinit: Cannot contact any KDC for realm 'SOMEDOMAIN.ORG' while getting initial credentials
Cause
The appliance is unable to connect one or more of the specified Kerberos Domain Controller(s).
Resolution
- Fix network connectivity to Kerberos Domain Controller(s) (KDC). This could be a routing or firewall issue.
- Also see: How to ​perform a port scan (tcpscan/udpscan)
Was this article helpful?
Tell us how we can improve it.