Troubleshooting Kerberos
I am unable to login using Kerberos through the PingOne gateway
If you have configured the PingOne gateway to support Kerberos authentication, but are still seeing a login screen, check the audit logs for any Kerberos failures. Learn more in Event types.
{
"id" : "f0509c78-9d00-4c69-92e0-6528d7cd5494",
"code" : "ACCESS_FAILED",
"message" : "The request could not be completed. You do not have access to this resource.",
"details" : [ {
"code" : "INVALID_TOKEN",
"message" : "Kerberos ticket is invalid"
} ]
}
The Kerberos ticket is invalid
error shows the browser did submit a Kerberos ticket, but was invalid or otherwise unable to be processed.
This error occurs when:
The KDC is not issuing tickets with AES Encryption
-
In Windows, open a command prompt and enter
klist.
There should be a ticket for the services for which you configured SPNs (for example, kerberos.pingone.com and d3vol3lyj0eg62.cloudfront.net). Learn more in Creating SPNs.
-
Check the KerbTicket Encryption Type.
If the KerbTicket Encryption Type is set to RSADSI RC4-HMAC, it will not be supported by PingOne, as PingOne requires AES Encryption.
-
On your server, in Active Directory Users and Computers, find the user account that is attempting to access PingOne using Kerberos
-
Right click the account and select Properties.
-
Click the Account tab.
-
In the Account Options section, select This account supports Kerberos AES 256 bit encryption.
If there is a login error, you could need to purge existing Kerberos tickets.
-
-
To purge tickets:
-
Open a command prompt and enter
klist purge.
-
Sign off of Windows and sign back on.
-
Attempt Kerberos authentication.
-
Discuss with your Active Directory admin the best way to ensure the KDC issues tickets using AES Encryption for all users. |
The service account for the PingOne Gateway is not configured to use AES Encryption for Kerberos
-
In Active Directory Users and Computers, find the service account you’ve configured for the PingOne Gateway Kerberos integration.
-
Right click and select Properties.
-
On the Account tab, in the Account Options section, select This account supports Kerberos AES 256 bit encryption.
-
Restart the Gateway instance. Learn more in Starting a gateway instance.
-
Confirm that Kerberos login is working.
If Kerberos authentication is still not working, purge existing Kerberos tickets.
-
To purge tickets:
-
Open a command prompt and enter
klist purge.
-
Sign off of Windows and sign back on.
-
Attempt Kerberos authentication.
-
-
If Kerberos authentication is still not working, you must reset the password for the service account. Then, repeat step 6.