Single Sign-On stopped working or does not work when trying to SSH to machine. This error can be found when reviewing the sshs client debug log:
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
Server (host/unixmachine.example.com@EXAMPLE.COM) unknown
This can be cause by either:
1) There is no SPN matching the machine on the object in Active Directory (AD)
2) There are duplicated SPN's for this machine in AD
Add the missing SPN to the object in AD:
# vastool -u <admin> setattrs -m host/ servicePrincipalName host/unixmachine host/unixmachine.example.com host/
** Note: servicePrincipalName is a multi-valued attribute and you must include ALL SPN's in this command or you will loose the SPN's that were previously set.
Locate and remove the object with the duplicated SPN's.
To identify duplicated SPN's in your environment you can run the following:
VAS=/opt/quest/bin/vastool ; for spn in `sudo $VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; sudo $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done
Be advised this can be an expensive query as it will search ALL computer objects in AD then compare SPN's and print any duplicates found