Safeguard Authentication Services 5.0.2 - Authentication Services for Smart Cards Administration Guide

Troubleshooting "Cannot contact any KDC for requested realm" issue

Symptom:

An error displays, similar to the following:

ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: vas-user@ALTSUFFIX.VAS,
Service: krbtgt/ALTSUFFIX.VAS@ALTSUFFIX.VAS, Server: (null)
   Caused by:
   KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm
Reason: unable to reach any KDC in realm ALTSUFFIX.VAS

Diagnosis:

You will get an error message that says, "Cannot contact any KDC for requested realm" because Safeguard Authentication Services cannot obtain a Kerberos ticket for the user principal name encoded on the smart card.

This will occur when Safeguard Authentication Services is unable to communicate with a domain controller. Run the vastool info servers command and try to ping your domain controllers to ensure that your network is properly configured and Safeguard Authentication Services has found a domain controller to use for communication with Active Directory.

If the problem persists, you may have a problem with your user principal name suffix. This occurs when the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS. This means you are using an alternative user principal name suffix.

Solution:

Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:

1. Safeguard Authentication Services Configuration Group Policy Setting:
   1. Open QAS Configuration in the Group Policy editor.
   2. Type username-attr-name in the search field and click the Search button.
   3. Set the value to userPrincipalName.
   4. Click OK to close the dialog.
   5. Apply Group Policy on the Safeguard Authentication Services client by running the vgptool apply command.
2. Manually edit the vas.conf.
   1. Open the vas.conf file on the Safeguard Authentication Services client.
   2. In the [vasd] section, set "username-attr-name = userPrincipalName".
   3. Save the vas.conf file.
   4. Run the vastool flush command to repopulate user information.
3. Edit the vas.conf with vastool.

   1. Run the following command:

      vastool configure vas vasd username-attr-name userPrincipalName

   2. Run the vastool flush command to repopulate user information.

Troubleshooting log errors

The following section describes symptoms and possible causes of log error messages when attempting to log in or perform other Safeguard Authentication Services for Smart Cards functions.

Related Topics

Log shows "clock skew problems"

Log shows "server policy does not allow them on" or "account is expired"

Log shows "Failed authentication attempt: cannot verify certificate"

Log shows "clock skew problems"

You will get a log error message that says, "clock skew problems" when you encounter a login failure because your system clock was out of sync with Active Directory.

To synchronize your system clock with Active Directory

1. Run the following command as root: vastool timesync.

Log shows "server policy does not allow them on" or "account is expired"

You will get log error messages that say, "server policy does not allow them on" or "account is expired" when a user's account has been restricted, locked out, or expired; or when a user, whose account is marked Smart card required for login, attempts to log in with a password.

Check the user's account settings in Active Directory. For more information, see Check login.