Skip to main content
Skyhigh Security

Troubleshooting Kerberos

Flush DNS and Purge tickets on client

If you recently added the DNS entry for the MWG, then you might need to flush the DNS cache on your workstation. Afterwards, you can purge any existing Kerberos tickets as well.

ipconfig /flushdns

klist purge

Observed errors

mwg-core.errors.log

tail /opt/mwg/log/mwg-errors/mwg-core.errors.log

How you are accessing the proxy, does not match what you specified in the keytab:

[Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key tableentry not found'

Keytab was most likely regenerated, and current keytab (uploaded to the Web Gateway) is no longer valid:

[Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Keyversion number for principal in key table is incorrect'

Time is off:

[Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Tick

Client provided a invalid token (in my test, this was a non-domain user, using Firefox):

[Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'S

Use the blockpages

With the use of the blockpages, you can add many different variables to the blockpage content in order to debug any situation. For example, you can add anyone of the Authentication.* properties to determine why a rule may not be matching as you would expect.

krb5-workstation

An additional linux package is offered on the update server for troubleshooting different items. This package is installed into the /usr/kerberos directory, the different tools are inthe /usr/kerberos/bin or the /usr/kerberos/sbin directory.

yum install krb5-workstation

/usr/kerberos/bin/klist -h (on older versions)

klist -h

Wireshark (tcpdump)

Client side -- Obtaining a wireshark capture on the client machine (not the Web Gateway)will show the communication between the KDC to see what tickets have been issued and if there are any errors.

Network Identity Manager

Client side -- To track down any potential client issues, a tool called "Network IdentityManager" has been useful for viewing the Kerberos tickets for users, this tool can befound at: http://www.secure-endpoints.com/netidmgr/v2/.

  • Was this article helpful?