Failed to create delegated GSSAPI token on behalf of HTTP/server03.domain.lab@DOMAIN.LAB for smps@server02.domain.lab: Minor Status=-1765328377, Major Status=851968, Message=Server not found in Kerberos database

Document ID : KB000046427
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

While setting up kerberos authentication scheme, I am getting “Server not found in Kerberos database”

Why am I getting this error and how can I resolve it?

 

Answer:

There can be multiple reasons but it usually means the HTTP/<fqhn>@DOMAIN.LAB SPN value was not found in the kerberos database or delegation was not allowed.

 

Why the SPN was not found:

1. This is case sensitive so if your klist shows “HTTP/server03.domain.lab@DOMAIN.LAB” then you must set this in the ACO as “HttpServicePrincipal” value. Please copy and paste.

2. DNS resolution returned hostname instead of FQHN. You need to capture tcpdump at the SPS/WA side and filter the kerberos traffic to see whether the hostname or FQHN was returned. This value must match what is specified as “HttpServicePrincipal”. Quick workaround is to test with /etc/hosts file mapping IP to specific FQHN. Long term, DNS must return FQHN(matching the case sensitive value).

3. Kerberos relies on the presense of both forward and reverse entry records.

4. If you are using a loadbalancer in front of multiple webagents, the SPN should use loadbalancer FQHN.

5. Domain/Realm mapping are incorrect.

 

Why delegation was not allowed:

1. You need to explicitly allow the SPS/WA service account to allow delegation. At the AD, locate the SPS/WA service account and view the "Delegation" tab and ensure delegation is allowed. If this is not set, you are now allowing delegation thus result in error.

 

Whenever you make changes it is advisable to restart the SPS/WA service.

 

Additional Information:

https://technet.microsoft.com/en-us/library/bb463167.aspx

 

https://en.wikipedia.org/wiki/List_of_DNS_record_types