Troubleshooting Kerberos Authentication with ZENworks 10.3

Ensure that the ZENworks Managed Agent device machine is a member of the Active Directory domain. 
Note:  It is not necessary for the ZENworks Server to be a member of the AD domain.

Ensure that the user logging into ZENworks has the userPrincipalName set properly (setspn or adsiedit ).

Ensure that Kerberos authentication works sucessfully outside of ZENworks.  (See Microsoft Kerberos troubleshooting pages).

Ensure that the keytab file was entered correctly into ZCC Configuration User Source setup page.

Enable client and server logging (see debug TID 3418069). 
Note for server side logging, use the embedded casa logs first.  This is new to 10.3.  See section:
"Standard ZENworks port (eg: 443)" . 
The services must be restarted for logging to begin on server.

Note:  If both Kerberos and Password authentication are set up for the ZENworks user source, Kerberos will be used first (note order in iaRealms.xml file on server for confirmation).

ERROR (from server ats.log):
2010-05-17 07:11:31,851 WARN authtoksvc.Krb5Authenticate$Krb5Token Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
2010-05-17 07:11:31,851 WARN authtoksvc.Krb5Authenticate invoke()- Exception: java.lang.Exception: Authentication Failure
2010-05-17 07:11:31,851 INFO authtoksvc.Authenticate invoke()- identId not resolved

By default, the Active Directory KDC requires 5 minute synch between an authenticating device time and the time on the KDC server.  In this case the ZENworks security principal cannot log in as the ZENworks server time is off by more than 5 minutes.  Correct the time synch.

ERROR (from server ats.log):
authtoksvc.AuthMechConfig getSetting()- Setting value = host@zenServer.users.w2008domain.com</text >
no valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

Ensure that the ZENworks Security Principal name was set properly when the keytab was generated.  Example:
ktpass /princ HOST/atserver.w2008domain.com@W2008DOMAIN.COM -pass Novell123 -mapuser w2008domain\atserver -out q:ATSServerHost.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL

ERROR (from CasaAuthToken.log on the workstation):
[88-15D8] [15:09:39] CASA_KrbMech -AuthTokenIf_GetAuthToken- Failed to initialize the security context, error = 8009030E
[88-15D8] [15:09:39] CASA_KrbMech -AuthTokenIf_GetAuthToken- End, retStatus = C7FE0001
This is an error seen on a workstation that attempted ZENworks Kerberos Authentication while not a member of the Domain.

ERROR (from ats.log):
2012-10-18 13:03:49,813 INFO authtoksvc.Krb5Authenticate invoke()- No matching identity entities found
2012-10-18 13:03:49,813 INFO authtoksvc.Authenticate invoke()- identId not resolved
This is returned if ldap search of the domain fails to find UserPrincipalName attribute for the logged in user.