Troubleshooting Kerberos Configuration

Increase the logging level

The first step in troubleshooting issues with Windows Authentication – Kerberos is to increase the logging level for the MSS authentication service.

  1. Log in to the MSS Administrative Console at https://hostname/adminconsole.

  2. Click Cluster Management from the drop-down menu.

  3. On the Services page, locate mss-auth-service.

  4. Click ellipsis Edit Properties and add this Key/Value pair:

    • Key: authsvc.logging.level
    • Value: DEBUG
  5. Click OK.

  6. On the mss-auth-service line, click ellipsis Redeploy All.


    Be aware that end users may be affected when a service is redeployed.

Locate log files

The log output for Kerberos and OAuth operations can be viewed in Cluster Management - Services.

  1. Click mss-auth-service to see a more detailed view of the auth-service.

  2. In the detailed view, click ellipsis and then either View Recent Logs or Download Logs.

Identify specific issues

Check the possible causes for issues you may encounter.

Issue Possible cause
User is prompted for credentials - The client machine is not a member of the Active Directory domain.
- The user has not logged onto the client machine with the credentials of a user in the Active Directory domain.
- The browser (Internet Options) has not been configured for Kerberos.
- The necessary SPN has not been added to the KDC service account.
User encounters the error message: “Unable to complete request at this time” - LDAP is misconfigured.
- The keytab file created for the service account on the KDC is not valid.
User encounters the error message: XDAS_OUT_POLICY_VIOLATION - The proxy interface properties are not properly configured when the MSS server is behind a reverse proxy or load balancer.
User encounters the error message: “This site cannot be reached” - The auth service is not running or has not been enabled.
- Check the mss-mss-server to verify that the property named mss.oauth is defined and the value is set to true. For instructions, see Adjusting Advanced Product Settings.
Authentication takes a long time - LDAP is configured with the standard LDAP port. Instead, configure LDAP with the global catalog port (such as 3268).
Reflection Desktop displays a “connection failed” error when trying to open a session - Reflection Desktop must have Centralized Management configured to access the MSS server using HTTPS.
- And, the certificate of the MSS server must be trusted by the Windows Trusted Root Certification Authorities store.
Kerberos authentication fails for users who belong to a large number of Active Directory groups - The authentication string is too large.
Resolution: Edit the properties of the mss-auth-service by adding this key/value pair:
Key: server.max-http-header-size, Value: 10MB
For instructions, see Setting Advanced Properties.