You might experience difficulty when you configure Certificate to Kerberos or SAML-to-Kerberos in your environment. You can use a variety of procedures for diagnosing and fixing these problems.

Monitoring the health of KDC server and backend application server.

You can quickly see that services you deployed are configured, up and running successfully from the admin UI for Edge Settings.

Figure 1. Health Check - Reverse Proxy Settings

A circle displays before the service. The color coding is as follows.

  • Red Circle: If the status is Red, it could mean one of the following.

    • Connectivity issues between Unified Access Gateway and Active Directory

    • Port blocking issues between Unified Access Gateway and Active Directory.

      Note:

      Ensure that both TCP and UDP port 88 is opened in the Active Directory machine.

    • Principal name and password credentials might be incorrect in the uploaded keytab file.

  • Green Circle: If the status is Green, it means that the Unified Access Gateway is able to log in to the Active Directory with the credentials provided in keytab file.

Error creating Kerberos context: clock skew too great

This error message:

ERROR:"wsportal.WsPortalEdgeService[createKerberosLoginContext: 119][39071f3d-9363-4e22-a8d9-5e288ac800fe]: Error creating kerberos context. 
Identity bridging may not work
javax.security.auth.login.LoginException: Clock skew too great"

displays when the Unified Access Gateway time and the AD server time are significantly out of sync. Reset the time on the AD server to match the exact UTC time on Unified Access Gateway.

Error creating Kerberos context: name or service not known

This error message:

wsportal.WsPortalEdgeService[createKerberosLoginContext: 133][]: Error creating kerberos context. 
Identity bridging may not work 
javax.security.auth.login.LoginException: Name or service not known

displays when the Unified Access Gateway is unable to reach the configured realm or unable to connect to KDC with the user details in the keytab file. Confirm the following:

  • the keytab file is generated with the correct SPN user account password and uploaded to Unified Access Gateway

  • the back end application IP address and hostname are added correctly in host entries.

Error in receiving Kerberos token for user: user@domain.com, error: Kerberos Delegation Error: Method name: gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information

"Kerberos Delegation Error: Method name: gss_acquire_cred_impersonate_name: Server not found in Kerberos database"

If this message displays, check if:

  • Trust between the domains is working.

  • Target SPN name is configured correctly.