This is the clue in the appserver log:
Appserver] Actual error from AD / ADK authentication: Client not found in Kerberos database (6)
Check for credentials, Check TGT -registry value
So the actual error from AD was Client not found in Kerberos database (6)
which is :
The KDC could not translate the client principal name from the KDC request into an account in the Active Directory. Generally, verifying whether the client account exists and has propagated to the domain controller that generated the error. Checking Active Directory replication may provide an indication of why the error occurred. It can also be a problem where the name specified is not a recognized User principal name present on the userPrincipalName attribute of the account.
By 'client account' does that mean the machine that is acting as a Kerberos client (i.e. the Blade application server)? This means it has to have a verified computer account in AD for the Bladelogic appserver? All of the computer/user accounts are well over a year old so I don't see how AD replication could be the issue.
This setup has been unchanged for about a year. Also, I was just able to log in (once) about an hour ago, so the error appears to be somewhat intermittent (though it is occurring far more often than not).
I would rebuild the blappappserv_krb5.conf and see if it goes away. Intermittent issue like with text file configuration often time corruption of the file. It happen with script that work for years but, one day, it work and don't work. I seen this happen with ini, and inf files too. That's my 2 cent.
are you use the ADK login or Domain?
Domain. As an update, this problem has (for now) disappeared without any intervention on our part so the most likely solution is a mystery change to AD.
I am also facing the same problem, is there any root cause for this? as I could see most of these questions are not answered as whoever faced also written it has disappeared without any intervention. why this domain authentication problem is happening.
Quick reply will be appreciated. we were able use the same application server with the same user but now its not working. its really strange.
are you using 'domain auth' (where you type in the AD username and password to the bsa client) or 'ADK Auth' (where the kerberos ticket is automatically populated into the bsa client) ?
what's in the appserver log when this happens?
do you see any messages for this user in the domain controller's security log ?
what version of bsa?
what version of AD ?
1 of 1 people found this helpful
I found cause of this issue, DC mentioned in the kdc config file has been shutdown and moved to another location. Updated the kdc config file with correct DC name. Its now working fine.