Symptoms
First, see How to analyze the log files to identify single-sign on (SSO) issues .
Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:
2022-01-24 13:05:32.815501 somehost awingu-worker-smc.service[manage.py:24846]: Using specified cache: /etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/kerberos/kerberos_credentials_cache
Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/private_key.pem
[323] 1643029531.34277: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[323] 1643029531.34279: Sending unauthenticated request
[323] 1643029531.34280: Sending request (220 bytes) to SOMEDOMAIN.ORG
[323] 1643029531.34281: Resolving hostname somehost.somedomain.org
[323] 1643029531.34282: Sending initial UDP request to dgram 10.1.2.3:88
[323] 1643029531.34283: Received answer (215 bytes) from dgram 10.1.2.3:88
[323] 1643029531.34284: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[323] 1643029531.34285: No URI records found
[323] 1643029531.34286: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[323] 1643029531.34287: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[323] 1643029531.34288: No SRV records found
[323] 1643029531.34289: Response was not from master KDC
[323] 1643029531.34290: Received error from KDC: -1765328359/Additional pre-authentication required
[323] 1643029531.34293: Preauthenticating using KDC method data
[323] 1643029531.34294: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[323] 1643029531.34295: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[323] 1643029531.34296: PKINIT loading CA certs and CRLs from FILE
[323] 1643029531.34297: PKINIT client computed kdc-req-body checksum 9/07AED58DC8D9BE3E54B5EA229086654CF1E44F6E
[323] 1643029531.34299: PKINIT client making DH request
[323] 1643029531.34300: Preauth module pkinit (16) (real) returned: 0/Success
[323] 1643029531.34301: Produced preauth for next request: PA-PK-AS-REQ (16)
[323] 1643029531.34302: Sending request (5864 bytes) to SOMEDOMAIN.ORG
[323] 1643029531.34303: Resolving hostname somehost.somedomain.org
[323] 1643029531.34304: Initiating TCP connection to stream 10.1.2.3:88
[323] 1643029531.34305: Sending TCP request to stream 10.1.2.3:88
[323] 1643029531.34306: Received answer (3011 bytes) from stream 10.1.2.3:88
[323] 1643029531.34307: Terminating TCP connection to stream 10.1.2.3:88
[323] 1643029531.34308: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[323] 1643029531.34309: No URI records found
[323] 1643029531.34310: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[323] 1643029531.34311: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[323] 1643029531.34312: No SRV records found
[323] 1643029531.34313: Response was not from master KDC
[323] 1643029531.34314: Received error from KDC: -1765328361/Password has expired
[323] 1643029531.34316: Recovering from KDC error 23 using preauth mech PA-PK-AS-REQ (16)
[323] 1643029531.34317: Preauth tryagain input types (16): PA-PK-AS-REP (17)
[323] 1643029531.34318: Preauth module pkinit (16) tryagain returned: 0/Success
[323] 1643029531.34319: Retrying AS request with master KDC
[323] 1643029531.34320: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[323] 1643029531.34322: Sending unauthenticated request
[323] 1643029531.34323: Sending request (220 bytes) to SOMEDOMAIN.ORG (master)
[323] 1643029531.34324: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[323] 1643029531.34325: No URI records found
[323] 1643029531.34326: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[323] 1643029531.34327: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[323] 1643029531.34328: No SRV records found
[323] 1643029531.34329: Principal expired; getting changepw ticket
[323] 1643029531.34330: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[323] 1643029531.34331: Setting initial creds service to kadmin/changepw
[323] 1643029531.34333: Sending unauthenticated request
[323] 1643029531.34334: Sending request (210 bytes) to SOMEDOMAIN.ORG
[323] 1643029531.34335: Resolving hostname somehost.somedomain.org
[323] 1643029531.34336: Sending initial UDP request to dgram 172.27.0.10:88
[323] 1643029532.517654: Sending initial UDP request to dgram 10.1.2.3
[323] 1643029532.517655: Received answer (205 bytes) from dgram 10.1.2.3
[323] 1643029532.517656: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[323] 1643029532.517657: No URI records found
[323] 1643029532.517658: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[323] 1643029532.517659: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[323] 1643029532.517660: No SRV records found
[323] 1643029532.517661: Response was not from master KDC
[323] 1643029532.517662: Received error from KDC: -1765328359/Additional pre-authentication required
[323] 1643029532.517665: Preauthenticating using KDC method data
[323] 1643029532.517666: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[323] 1643029532.517667: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[323] 1643029532.517668: PKINIT loading CA certs and CRLs from FILE
[323] 1643029532.517669: PKINIT client computed kdc-req-body checksum 9/8FEA06C1B09A5F23B9186332AF62EAB9DE86332A
[323] 1643029532.517671: PKINIT client making DH request
[323] 1643029532.517672: Preauth module pkinit (16) (real) returned: 0/Success
[323] 1643029532.517673: Produced preauth for next request: PA-PK-AS-REQ (16)
[323] 1643029532.517674: Sending request (5854 bytes) to SOMEDOMAIN.ORG
[323] 1643029532.517675: Resolving hostname somehost.somedomain.org
[323] 1643029532.517676: Initiating TCP connection to stream 10.1.2.3:88
[323] 1643029532.517677: Sending TCP request to stream 10.1.2.3:88
[323] 1643029532.517678: Received answer (5177 bytes) from stream 10.1.2.3:88
[323] 1643029532.517679: Terminating TCP connection to stream 10.1.2.3:88
[323] 1643029532.517680: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[323] 1643029532.517681: No URI records found
[323] 1643029532.517682: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[323] 1643029532.517683: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[323] 1643029532.517684: No SRV records found
[323] 1643029532.517685: Response was not from master KDC
[323] 1643029532.517686: Processing preauth types: PA-PK-AS-REP (17)
[323] 1643029532.517687: PKINIT client verified DH reply
[323] 1643029532.517688: PKINIT client config accepts KDC dNSName SAN somehost.somedomain.org
[323] 1643029532.517689: PKINIT client found dNSName SAN in KDC cert: somedc.somead.somedomain.org
[323] 1643029532.517690: PKINIT client found dNSName SAN in KDC cert: somead.somedomain.org
[323] 1643029532.517691: PKINIT client found dNSName SAN in KDC cert: SOMEDOMAIN
[323] 1643029532.517692: PKINIT client matched KDC hostname somehost.somedomain.org against dNSName SAN; EKU check still required
[323] 1643029532.517693: PKINIT found acceptable EKU and digitalSignature KU
[323] 1643029532.517694: PKINIT client found acceptable EKU in KDC cert
[323] 1643029532.517695: PKINIT client used octetstring2key to compute reply key aes256-cts/AAF4
[323] 1643029532.517696: Preauth module pkinit (17) (real) returned: 0/Success
[323] 1643029532.517697: Produced preauth for next request: (empty)
[323] 1643029532.517698: AS key determined by preauth: aes256-cts/AAF4
[323] 1643029532.517699: Decrypted AS reply; session key is: aes256-cts/3A99
[323] 1643029532.517700: FAST negotiation: unavailable
[323] 1643029532.517701: Attempting password change; 3 tries remaining
kinit: Cannot read password while getting initial credentials
Cause
The user's password has expired.
Resolution
Have the user navigate to the Workspace again (if needed, from a private/incognito browser tab or other browser) and let them try again.
If the problem persists, contact the support team.
Was this article helpful?
Tell us how we can improve it.