Skip to content

Troubleshooting Kerberos Configuration

Increase the logging level

The first step in troubleshooting issues with Windows Authentication – Kerberos is to increase the logging level for the MSS authentication service.

  1. Edit the <install-dir>/mss/server/microservices/auth-service/service.yml file and add this to the env section:

    - name: authsvc.logging.level 
      value: DEBUG
  2. Restart the server

If you are troubleshooting a cluster of MSS servers, we recommend that you increase the logging level on all servers in the cluster.

Locate log files

Once debug logging is enabled, you can find the log output for Kerberos and OAuth operations in <install-directory>/mss/server/logs/auth-service/auth-service-osp.*.log.

Other general information for the MSS authentication service is logged to the auth-service.log file in the same location.

Identify specific issues

Check the possible causes for issues you may encounter.

Issue Possible cause
User is prompted for credentials
  • The client machine is not a member of the Active Directory domain
  • The user has not logged onto the client machine with the credentials of a user in the Active Directory domain
  • The browser (Internet Options) has not been configured for Kerberos
  • The necessary SPN has not been added to the KDC service account
User encounters the error message: “Unable to complete request at this time”
  • LDAP is misconfigured
  • The keytab file created for the service account on the KDC is not valid
User encounters the error message: XDAS_OUT_POLICY_VIOLATION
  • The proxy interface properties are not properly configured when the MSS server is behind a reverse proxy or load balancer
User encounters the error message: “This site cannot be reached”
  • The auth service is not running or has not been enabled
  • Check the service.yml to verify that the enabled setting is set to true
Authentication takes a long time
  • LDAP is configured with the standard LDAP port. Instead, configure LDAP with the global catalog port (such as 3268)
Reflection Desktop displays a “connection failed” error when trying to open a session
  • Reflection Desktop must have Centralized Management configured to access the MSS server using HTTPS
  • And, the certificate of the MSS server must be trusted by the Windows Trusted Root Certification Authorities store