it could be anything from a typo in one of the config files (everything is case sensitive as well) to a wrong version of ktpass used to generate the keytab file, to a file pointing to the wrong AD domain.
I suggest you open a ticket with support and provide all the following information:
From the Client:
o Verify that the allowsessiontgt registry key is set - and has the machine running been rebooted after this registry key was set?
o Send us information about the user/domain attempting to log in as:
+ Is the user you are logged in as in the domain?
+ run the 'kerbtray' command and check if it reports:
+ blclient_login.conf and krb5.conf files
From the Domain:
o Check if the service principal account has Use DES Encryption option set (Under the Account tab->Options)
o Has this account been modified in any way since the keytab was created?
o Get a screen shot of the user entry as setup in the KDC, to verify the case and logon name configured.
From the Appserver:
o Make sure the keytab file is valid.
Check the following article: https://www.bladelogic.com/community/entry.jspa?externalID=934&categoryID=76
To validate the keytab file, authenticate to the KDC using kinit:
kinit -k -t /opt/nsh/br/blkdc.keytab user/pass@AD.DOMAIN
o keyTab is spelled keyTab, not keytab (the config files are very case sensitive).
Send us a copy of:
o Send us the output of (there is a klist included in the JRE shipped with BladeLogic? ):
klist -t -k
From the Environment:
o check the firewall: it must allow traffic on port 88 for both TCP and UDP.
MIT's kinit fails over to TCP if it cannot reach the KDC via UDP. Java's kinit does not.
o make sure the Active Directory is resolvable from the DNS with the user you are trying to authenticate as.
Just found out the domain we are connecting to is Windows 2000
also, make sure the times between the appserver, DC and workstation are in sync.
Yeah, TimeSync is not the issue. Have checked that out and its fine.
did you get a chance to check the stuff LB posted ?