-
Title
Single Sign-On stopped working or does not work -
Description
Single Sign-On stopped working or does not work when trying to SSH to machine. This error can be found when reviewing the sshs client debug log:
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
Server (host/unixmachine.example.com@EXAMPLE.COM) unknown -
Cause
This can be cause by either:
1) There is no SPN matching the machine on the object in Active Directory (AD)
2) There are duplicated SPN's for this machine in AD
-
Resolution
RESOLUTION 1
Add the missing SPN to the object in AD:
# vastool -u <admin> setattrs -m host/ servicePrincipalName host/unixmachine host/unixmachine.example.com host/
** Note: servicePrincipalName is a multi-valued attribute and you must include ALL SPN's in this command or you will loose the SPN's that were previously set.
RESOLUTION 2
Locate and remove the object with the duplicated SPN's.
To identify duplicated SPN's in your environment you can run the following:
VAS=/opt/quest/bin/vastool ; for spn in `sudo $VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; sudo $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done
Be advised this can be an expensive query as it will search ALL computer objects in AD then compare SPN's and print any duplicates found