Troubleshooting Kerberos Authentication with ZENworks 10.3

  • 7005983
  • 17-May-2010
  • 02-Jan-2013


Novell ZENworks 10 Configuration Management


How to troubleshoot Kerberos authentication.


  1. Ensure that the ZENworks Managed Agent device machine is a member of the Active Directory domain. 
    Note:  It is not necessary for the ZENworks Server to be a member of the AD domain.
  2. Ensure that the user logging into ZENworks has the userPrincipalName set properly (setspn or adsiedit ).
  3. Ensure that Kerberos authentication works sucessfully outside of ZENworks.  (See Microsoft Kerberos troubleshooting pages).
  4. Ensure that the keytab file was entered correctly into ZCC Configuration User Source setup page.
  5. Enable client and server logging (see debug TID 3418069). 
    Note for server side logging, use the embedded casa logs first.  This is new to 10.3.  See section:
    "Standard ZENworks port (eg: 443)"
    The services must be restarted for logging to begin on server.
  6. Note:  If both Kerberos and Password authentication are set up for the ZENworks user source, Kerberos will be used first (note order in iaRealms.xml file on server for confirmation).

Additional Information

Some errors seen and their reasons:
  1. ERROR (from server ats.log):
    2010-05-17 07:11:31,851 WARN authtoksvc.Krb5Authenticate$Krb5Token Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
    2010-05-17 07:11:31,851 WARN authtoksvc.Krb5Authenticate invoke()- Exception: java.lang.Exception: Authentication Failure
    2010-05-17 07:11:31,851 INFO authtoksvc.Authenticate invoke()- identId not resolved

    By default, the Active Directory KDC requires 5 minute synch between an authenticating device time and the time on the KDC server.  In this case the ZENworks security principal cannot log in as the ZENworks server time is off by more than 5 minutes.  Correct the time synch.
  2. ERROR (from server ats.log):
    authtoksvc.AuthMechConfig getSetting()- Setting value =</text >
    no valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

    Ensure that the ZENworks Security Principal name was set properly when the keytab was generated.  Example:
    ktpass /princ HOST/ -pass Novell123 -mapuser w2008domain\atserver -out q:ATSServerHost.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
  3. ERROR (from CasaAuthToken.log on the workstation):
    [88-15D8] [15:09:39] CASA_KrbMech -AuthTokenIf_GetAuthToken- Failed to initialize the security context, error = 8009030E
    [88-15D8] [15:09:39] CASA_KrbMech -AuthTokenIf_GetAuthToken- End, retStatus = C7FE0001

    This is an error seen on a workstation that attempted ZENworks Kerberos Authentication while not a member of the Domain.
  4. ERROR (from ats.log):
    2012-10-18 13:03:49,813 INFO authtoksvc.Krb5Authenticate invoke()- No matching identity entities found
    2012-10-18 13:03:49,813 INFO authtoksvc.Authenticate invoke()- identId not resolved
    This is returned if ldap search of the domain fails to find UserPrincipalName attribute for the logged in user.
Example of ktpass to set user zenserverprinc as kerberos user command line:
ktpass /princ HOST/ -pass password -mapuser w2008domain\atserver -out q:ATSServerHost.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
Example of running klist tgt for logged in user - zenuser - who has krb ticket from AD:
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: zenUser
DomainName: W2008DOMAIN.COM
TargetDomainName: W2008DOMAIN.COM
AltTargetDomainName: W2008DOMAIN.COM
TicketFlags: 0x40e00000
KeyExpirationTime: 0/40/4 0:00:10776
StartTime: 5/18/2010 6:30:22
EndTime: 5/18/2010 16:30:22
RenewUntil: 5/25/2010 6:30:22
TimeSkew: 5/25/2010 6:30:22
Example of running klist tickets to show that the ZENworks principal - zenServerprinc - is authenticated:
   Server: zenServer/
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 5/18/2010 16:30:22
      Renew Time: 5/25/2010 6:30:22