Using Transparent Kerberos and some, but not all, users are prompted to login
July 19, 2011 • Customer Services
Synopsis
Using Transparent Kerberos and some, but not all, users are prompted to login
Article
This generally indicates a problem with that particular domain account, if some but not all users are prompted to login.
Check the following:
-
That the user has logged out and logged back in at least once
-
That the users browser proxy settings are configured to use the FQDN of CensorNet rather than IP address
-
That the web browser is compatible with Transparent Kerberos (IE7 and above, Firefox 2 and above, Safari on Mac OSX 10.4 and above)
-
That the users Active Directory account password has not expired or flagged to "change on next logon"
-
Run 'klist' on the Windows command prompt of the failing machine. Compare this with a 'klist' output on a machine that works. You can download klist from Microsoft
-
Try logging in as the failing user account on a different machine. If that works, it suggests a problem with the machine account in Active Directory.
-
In a multi-domain controller environment, ensure that the computer is logging in to the domain controller that CensorNet has a trust relationship with (as specified in System -> Configuration -> User authentication). To verify the domain controller the computer is logging in to, open a Command Prompt, and type "echo %logonserver%". If this does not match the configured domain controller but is a backup domain controller, ensure that the CensorNet machine account has been replicated to it.
-
Try and remove the user from the domain and rejoin them.
-
Check for HP Credential Manager. HP Credential Manager can hijack the authentication and prevent transparent kerberos from working correctly. To fix, open Credential Manager from the Control Panel and delete the entry for the CensorNet server (thanks to Mark Beaven at PassionIT? for the tip)
Related articles
