Kerberos SSO implementation

Cristina Mihaela Lupu 1 Reputation point
2020-07-08T14:00:13.28+00:00

We are in the development process to configure an application to authenticate via Kerberos and we require a Keytab file which should contain the principal name (both Remote and HTTP prefix), along with KDC configuration. I used the following commands in order to generate the file:
ktpass /princ HTTP/server.domain.com@keyman .COM /mapuser testuser /pass password /out file.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /kvno 20

When trying to use the file, I receive the error 'Client not found in Kerberos database'.

Microsoft Entra
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee
    2020-07-14T21:47:32.29+00:00

    Hi @CristinaLupa-7377,

    Please check if the Kerberos realm name in Active Directory is in lowercase. This problem can happen if that is the case. If this is the issue you will be able to complete the Kerberos wizard, but face this error later.

    Things to try for the account receiving the error:

    1. Enable the account and reset the password. (See if you receive any error while enabling.)
    2. Extract the user's metadata (repadmin /showobjmeta )
    3. Query the object properties and check to see if the same SID might be attached to two different objects.

    https://support.microsoft.com/en-in/help/198793/the-active-directory-database-garbage-collection-process-and-calculati

    0 comments No comments

  2. Cristina Mihaela Lupu 1 Reputation point
    2020-07-15T08:31:18.447+00:00

    Hi Marilee,

    Thank you for your answer. I verified the Kerberos real name and its in uppercase. The account is enabled, it was freshly created for this project, the password is set to never expire. I verified users metadata and this SID is attached to only one object.

    0 comments No comments