Skip to Content
avatar image
Former Member

Windows AD redundancy of authentication (Kerberos)

I have been using the AD authentication.
I use single domain to make redundancy.

※reference:1581958 - Windows AD authentication takes very long time to logon
default_realm = ABCD.MFROOT.ORG
dns_lookup_kdc = true
dns_lookup_realm = true

kdc = ABCDIR99.ABCD.MFROOT.ORG  ←non-existent domain
default_domain = ABCD.MFROOT.ORG

In order to test the redundancy, I use a domain not to exist.
But an error(FWM 00006) is output.
Or you can not test in the absence of domain?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 18, 2018 at 07:41 PM

    the bsclogin.conf must have debug=true set at the end of the 2nd line for the kerberos errors to output to the tomcat std.out { required debug=true;


    If the non existent domain is at all reachable (resolves to an IP) then the krb5 will likely timeout trying to communicate with it. If it is really non existent then it should simply skip it and try the next, the multiple KDC's work like round robin.

    For real redundancy using SSO via KBA would be the way to go as that uses DNS instead of the krb5.ini the krb5 is only used for manual logon which currently goes through our java SDK.


    Add comment
    10|10000 characters needed characters exceeded