8 Replies Latest reply on Jun 1, 2016 5:36 AM by Harsha A

    AD Auth stops working?

    Jim Campbell

      I logged on at 8AM using an authentication profile with AD.  I have had the same authentication profile and we have been using the same AD authentication for the past year.  Upon trying to reconnect starting about 1.5 hours later I'm receiving:


      [23 Jan 2012 09:56:30,461] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] user@domain.com cannot login, caught a login exception

      [23 Jan 2012 09:56:30,461] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] User is not found in kerberos database.  Check the domain for user@domain.com

      [23 Jan 2012 09:56:30,461] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] Actual error from AD / ADK authentication: Client not found in Kerberos database (6)

      [23 Jan 2012 09:56:30,461] [Authentication-Service-Thread-0] [INFO] [user@domain.com::] [Appserver] user authentication failed: user@domain.com

      [23 Jan 2012 09:56:30,461] [Authentication-Service-Thread-0] [INFO] [user@domain.com::] [Appserver] Authentication Connection closed


      The user exists and is not locked out.  I can telnet to port 88 from the Bladelogic application servers to the servers listed in blappappserv_krb5.conf.  Nothing was altered in this file or anywhere else as far as I know.  The application servers are Windows servers and joined to the same domain.


      What should I ask the AD team to check to see why this is occurring?  Or is this potentially some Blade problem?

        • 1. AD Auth stops working?

          This is the clue in the appserver log:

          Appserver] Actual error from AD / ADK authentication: Client not found in Kerberos database (6)

          Check for credentials, Check TGT -registry value


          So the actual error from AD was Client not found in Kerberos database (6)

          which is :

          The KDC could not translate the client principal name from the KDC request into an account in the Active Directory. Generally, verifying whether the client account exists and has propagated to the domain controller that generated the error. Checking Active Directory replication may provide an indication of why the error occurred. It can also be a problem where the name specified is not a recognized User principal name present on the userPrincipalName attribute of the account.

          • 2. AD Auth stops working?
            Jim Campbell

            By 'client account' does that mean the machine that is acting as a Kerberos client (i.e. the Blade application server)?  This means it has to have a verified computer account in AD for the Bladelogic appserver?  All of the computer/user accounts are well over a year old so I don't see how AD replication could be the issue.


            This setup has been unchanged for about a year.  Also, I was just able to log in (once) about an hour ago, so the error appears to be somewhat intermittent (though it is occurring far more often than not).

            • 3. AD Auth stops working?
              young so

              I would rebuild the  blappappserv_krb5.conf and see if it goes away.  Intermittent issue like with text file configuration often time corruption of the file.  It happen with script that work for years but, one day, it work and don't work.  I seen this happen with ini, and inf files too.  That's my 2 cent.

              • 4. AD Auth stops working?
                Bill Robinson

                are you use the ADK login or Domain? 

                • 5. AD Auth stops working?
                  Jim Campbell

                  Domain.  As an update, this problem has (for now) disappeared without any intervention on our part so the most likely solution is a mystery change to AD.

                  • 6. Re: AD Auth stops working?
                    Harsha A

                    Hi All,

                    I am also facing the same problem, is there any root cause for this? as I could see most of these questions are not answered as whoever faced also written it has disappeared without any intervention. why this domain authentication problem is happening.


                    Quick reply will be appreciated. we were able use the same application server with the same user but now its not working. its really strange.




                    • 7. Re: AD Auth stops working?
                      Bill Robinson

                      are you using 'domain auth' (where you type in the AD username and password to the bsa client) or 'ADK Auth' (where the kerberos ticket is automatically populated into the bsa client) ?


                      what's in the appserver log when this happens?


                      do you see any messages for this user in the domain controller's security log ?


                      what version of bsa?


                      what version of AD ?

                      • 8. Re: AD Auth stops working?
                        Harsha A

                        Hi All,


                        I found cause of this issue, DC mentioned in the kdc config file has been shutdown and moved to another location. Updated the kdc config file with correct DC name. Its now working fine.



                        Harsha Angadi

                        1 of 1 people found this helpful