Troubleshooting Kerberos
I am unable to sign on using Kerberos through the PingOne gateway
If you have configured the PingOne gateway to support Kerberos authentication, but are still seeing a sign on screen, check the audit logs for any Kerberos failures. Learn more in Event types.
{
"id" : "f0509c78-9d00-4c69-92e0-6528d7cd5494",
"code" : "ACCESS_FAILED",
"message" : "The request could not be completed. You do not have access to this resource.",
"details" : [ {
"code" : "INVALID_TOKEN",
"message" : "Kerberos ticket is invalid"
} ]
}
The Kerberos ticket is invalid
error indicates the browser submitted a Kerberos ticket, but the ticket was invalid or otherwise unable to be processed.
This error occurs when:
The KDC isn’t issuing tickets with AES Encryption
-
In Windows, open a command prompt and enter
klist
.There should be a ticket for the services for which you configured SPNs (for example,
HTTP/kerberos.pingone.com
andHTTP/d3vol3lyj0eg62.cloudfront.net
). Learn more in Creating SPNs. -
Check the KerbTicket Encryption Type.
If the KerbTicket Encryption Type is set to RSADSI RC4-HMAC, it will not be supported by PingOne, as PingOne requires AES Encryption.
-
On your server, in Active Directory Users and Computers, find the user account that is attempting to access PingOne using Kerberos.
-
Right click the account and select Properties.
-
Click the Account tab.
-
In the Account Options section, select This account supports Kerberos AES 256 bit encryption.
If there is a login error, you might need to purge existing Kerberos tickets.
-
-
To purge tickets:
-
Open a command prompt and enter
klist purge
. -
Sign off of Windows and sign back on.
-
Attempt Kerberos authentication.
-
Discuss with your Active Directory admin the best way to ensure the KDC issues tickets using AES Encryption for all users. |
The service account for the PingOne gateway isn’t configured to use AES Encryption for Kerberos
-
In Active Directory Users and Computers, find the service account you’ve configured for the PingOne gateway Kerberos integration.
-
Right click the account and select Properties.
-
On the Account tab, in the Account Options section, select This account supports Kerberos AES 256 bit encryption.
-
Restart the gateway instance. Learn more in Starting a gateway instance.
-
Confirm that Kerberos login is working.
If Kerberos authentication still isn’t working, purge existing Kerberos tickets.
-
To purge tickets:
-
Open a command prompt and enter
klist purge
. -
Sign off of Windows and sign back on.
-
Attempt Kerberos authentication.
-
-
If Kerberos authentication still isn’t working, you must reset the password for the service account. Then, repeat step 6.