Received error from KDC: -1765328309/Client name mismatch

1 users found this article helpful

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

2025-01-13 09:36:52.781191+00:00 secureworkspace awingu-worker-smc.service[manage.py:1326]: Using specified cache: /etc/awingu/domains/SOMEDOMAIN/2c7cd9f2-e198-4f12-94b2-9fee886aa5b4/kerberos/kerberos_credentials_cache
Using principal: someuser\@somealternatesuffix.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/SOMEDOMAIN/2c7cd9f2-e198-4f12-94b2-9fee886aa5b4/certificate.pem,/etc/awingu/domains/SOMEDOMAIN/2c7cd9f2-e198-4f12-94b2-9fee886aa5b4/private_key.pem
[103838] 1736761012.510665: Getting initial credentials for someuser\@somealternatesuffix.org@SOMEDOMAIN.ORG
[103838] 1736761012.510667: Sending unauthenticated request
[103838] 1736761012.510668: Sending request (208 bytes) to SOMEDOMAIN.ORG
[103838] 1736761012.510669: Resolving hostname ad01.somedomain.org
[103838] 1736761012.510670: Sending initial UDP request to dgram 1.2.3.4:88
[103838] 1736761012.510671: Received answer (176 bytes) from dgram 1.2.3.4:88
[103838] 1736761012.510672: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[103838] 1736761012.510673: No URI records found
[103838] 1736761012.510674: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[103838] 1736761012.510675: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[103838] 1736761012.510676: No SRV records found
[103838] 1736761012.510677: Response was not from master KDC
[103838] 1736761012.510678: Received error from KDC: -1765328359/Additional pre-authentication required
[103838] 1736761012.510681: Preauthenticating using KDC method data
[103838] 1736761012.510682: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[103838] 1736761012.510683: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGdummy", params ""
[103838] 1736761012.510684: PKINIT loading CA certs and CRLs from FILE
[103838] 1736761012.510685: PKINIT client computed kdc-req-body checksum 9/71F08DC6CD556264BACE6ADD83A62F1CC6AC58A2
[103838] 1736761012.510687: PKINIT client making DH request
[103838] 1736761012.510688: Preauth module pkinit (16) (real) returned: 0/Success
[103838] 1736761012.510689: Produced preauth for next request: PA-PK-AS-REQ (16)
[103838] 1736761012.510690: Sending request (4907 bytes) to SOMEDOMAIN.ORG
[103838] 1736761012.510691: Resolving hostname ad01.somedomain.org
[103838] 1736761012.510692: Initiating TCP connection to stream 1.2.3.4:88
[103838] 1736761012.510693: Sending TCP request to stream 1.2.3.4:88
[103838] 1736761012.510694: Received answer (90 bytes) from stream 1.2.3.4:88
[103838] 1736761012.510695: Terminating TCP connection to stream 1.2.3.4:88
[103838] 1736761012.510696: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[103838] 1736761012.510697: No URI records found
[103838] 1736761012.510698: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[103838] 1736761012.510699: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[103838] 1736761012.510700: No SRV records found
[103838] 1736761012.510701: Response was not from master KDC
[103838] 1736761012.510702: Received error from KDC: -1765328309/Client name mismatch
[103838] 1736761012.510703: Retrying AS request with master KDC
[103838] 1736761012.510704: Getting initial credentials for someuser\@somealternatesuffix.org@SOMEDOMAIN.ORG
[103838] 1736761012.510706: Sending unauthenticated request
[103838] 1736761012.510707: Sending request (208 bytes) to SOMEDOMAIN.ORG (master)
[103838] 1736761012.510708: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[103838] 1736761012.510709: No URI records found
[103838] 1736761012.510710: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[103838] 1736761012.510711: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[103838] 1736761012.510712: No SRV records found
kinit: Client name mismatch while getting initial credentials

Cause

Most likely, the Subject Alternative Name (SAN) for UPN mapping has been disabled on the Kerberos Domain Controller (Microsoft Windows Server).

Resolution

On the domain controller(s):

  1. Open Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\UseSubjectAltName.
  3. Right-click UseSubjectAltName, select Modify Binary data, and then set the Value data to 0.

More info: How to disable the SAN for UPN mapping - Windows Server | Microsoft Learn .

Was this article helpful?

Tell us how we can improve it.