Cannot contact any KDC for requested realm

Document ID : KB000122165
Last Modified Date : 30/11/2018
Show Technical Document Details
Issue:
We're running CA Access Gateway (SPS) and when users try to
authenticate with Kerberos authentication scheme, they cannot login
because the CA Access Gateway (SPS) seems to not be able to contact
the KDC :

  [11/29/2018][18:22:50][2308][5204][23a92ace-31f0175a-
  738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][token
  length before validating is 5368]

  [11/29/2018][18:22:55][2308][5204][23a92ace-31f0175a-
  738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][Failed
  to create delegated GSSAPI token on behalf of
  HTTP/mysps.mydomain.com@MYDOMAIN.COM for smps@mypolicyserver.mydomain.com: Minor
  Status=-1765328228, Major Status=851968, Message=Cannot contact any
  KDC for requested realm]

How can we fix this ?
Resolution:
  Modify the krb5.ini on CA Access Gateway (SPS) and Policy Server in order to point
  to another KDC as the current one was corrupted and doesn't answer
  anymore. This solved the issue.

  To illustrate :

  Change KDC1.mydomain.com to KDC2.mydomain.com

  from 

  [realms] 
  MYDOMAIN.COM = { 
  kdc = KDC1.mydomain.com 
  default_domain = mydomain.com
  } 

  to

  [realms] 
  MYDOMAIN.COM = { 
  kdc = KDC2.mydomain.com 
  default_domain = mydomain.com
  } 

  Restart the CA Access Gateway (SPS) and the Policy Server services after the changes