Skip to Content
avatar image
Former Member

Kerberos issues on certain Windows servers?

We have an odd situation currently as we are trying to implement the Secure Login client on all of our 75+ Windows 2003 servers in our Citrix-farms. The Netweaver system that runs the Secure Login server is setup to validate users based on SPNego i.e. the Secure Client will use Kerberos to negotiate a certificate from the Secure Login server. On some of the servers the Secure Login client works fine, connects to the Secure Login server gets validated and retrieves a user certificate, but on some of the servers the Secure Login client replies with 'Supplied credentials not accepted by the server'.

As I understand the whole process, the Secure Client initiates the communication by talking to the domain controller in the Windows network to get a TGS ticket. With this TGS ticket it should be able to talk to the Secure Login server and get the certificate. Has anyone ever seen anything like this before? We have an open Microsoft support ticket as the issue appears to be Microsoft-related, but I was wondering if anyone had seen similar issues while implementing an SSO-solution based on Netweaver Secure Login.

Best regards,

Anders

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    May 07, 2014 at 05:50 PM

    Check the SLS logs. Check that clocks of the involved servers are not too much apart.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Turns out that the problem was that KB960077 was missing on the Windows 2003 servers that did not work. This is noted in the documentation for SLC 1.0, but not for 2.0.

      Best regards,

      Anders

  • avatar image
    Former Member
    May 26, 2014 at 01:43 PM

    Hi Anders,

    all 75+ Citrix Servers are located in the same AD forest (AND) same AD domain? In a first step, I would think about issues with the Service Account(s) created and the SPNs. Check the SPNs can be resolved from the "problem" Citrix Server by using "setspn -L <serviceaccount>" - same answer as on working Citrix Servers?

    Regards,

    Carsten

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Carsten, I checked the setspn command on the non-working server and that part works fine. I get the same response from both servers. Best regards, Anders