Error "kdc: Server not found in database" on attempted connections using Network User Credentials

I am rebuilding my system after a recent debacle with Time Machine, which resulted in a complete wiping of my Open Directory contents. At this point, users can log into various computers on the network, when the hosts have been reconnected to the newly formed Open Directory and the trust certificate has been authorized.  However, when users attempt to connect to any file share, the Network User Account credentials fail to gain access.
I am running Mac OS X 10.9.4 on all systems. Two mac-mini's are running OS X Server 3.1.2.  One of these servers (mavericks1.pediatricheartcenter.org) is the Open Directory.  While testing the system, I am using the console on "Mavericks1," so the following discussion involves communication between the two server hosts only.
From Mavericks1, I open the console and attempt to connect to my file server, named fileserver.pediatricheartcenter.org.  I clear the console just prior to sending a "registered user" request to "FileServer" to gain access.  Careful examination of the console records shows the following:
1. The Network User is authorized with a message "ENC-TS pre-authentication succeeded".
2. Mavericks1 lists a console message that reads "kdc: Server not found in database: krbtgt/[email protected]:no such entry found in hdb"
3. Mavericks1 lists a console message that reads "kdc: Server not found in database: cifs/[email protected]: no such entry found in hdb"
4. The process registers what appears to be a final failure before trying again with "kdc: Failed building TGS-REP to 127.0.0.1:64390"
FileStorage.local does not exist in the DNS, nor does it exist on FileStorage.pediatricheartcenter.org. That (local) host name was removed when the domain host name for filestorage.pediatricheartcenter.org was created.
1. Why does the kerberos process reference a host name that does not exist?
2. What might be causing the failed authentication exchange?
3. What can be done to remedy the issue?

I spent some time on the phone with Apple Support on Friday.  Thank you to Linc Davis for providing some insights into the issues.
As a result of the conversation with Apple Support we learned the following, which I will report here for those who might find this page again:
First, OpenDirectories are extremely fragile.  Once you have turned on your OpenDirectory, do not do any of the following:
Do NOT change the host name.
Do NOT change the IP address.
If you are going to attempt either of these things, you should make a clone of your drive (not just a TimeMachine backup, a fully bootable clone, just in case).
Performing these activities (particularly the changing of the host name) will "break" your open directory, and the only way to rebuild the open directory is first to fully destroy the original.  Several services are also destroyed when OpenDirectory is broken, the most notable is Profile Manager.
DESTROYING OPEN DIRECTORY
To fully destroy OpenDirectory, it is more complex than simply turning off the OpenDirectory and turning it back on again.  Perform the following steps:
Install WorkGroup Manager (it is depricated, but Apple still has a version available for use with OS X Mavericks to handle functions that the Server App does not perform like exporting users and groups).
Sign into WorkGroup Manager as the directory administrator (user name defaults to "diradmin" the password is defined on OpenDirectory creation).
Export the Users, Groups, Computers and Computer Groups to the Desktop or another safe location.
Close WorkGroup Manager
Turn off the OpenDirectory in Server App.
Delete the Server App from the Applications folder and put it in the Trash. (This will disable any active services that are marking various files as being currently in use. Don't worry, we will restore it from the Trash when we are done).
In the terminal, run the following command: sudo slapconfig -destroyldapserver
Make a backup of all website files (just in case)
Navigate to the folder /Library/Server and delete the ProfileManager folder. (If you willing to do so, delete the whole Server folder).
After deleting various folders in the /Library/Server directory, restore the Server.app from the Trash.
Run the Server App.
Set the computer's network connection and host name.
Create a new OpenDirectory.
Use WorkGroup Manager to import any exported files from Step 3.
If you deleted the entire Server directory, use the website backup to retrieve the files that comprise your web site(s) and use the Server App to link the file directories to the Web site's domain name(s).
Personal Note: These instructions got me farther than any other tips I had received previously. After following these instructions, I was able to rebuild my Open Directory. During the process of copying files from the old user home folders into the new user home folders, the computer froze and when it rebooted, all the users and groups I had created during the day had disappeared. Rather than trouble-shooting it again, I decided to do a fresh installation.
A NOTE ON HOME FOLDERS
PER APPLE SUPPORT: Do NOT use the default /Users directory for Network users. Apple Support wanted me to rebuild the home directory, but they noted I was not able to do this, because I had used /Users.  This folder ("/Users") is a critical component of the OS X system, and will cause additional problems if the folder is destroyed and rebuilt.  The directory id and permissions must remain unchanged from the original installation.
For this reason, Server administrators (like yourself) should use File Sharing in the Server App to create a new anchor point for home directories.  Create a shared folder. Ensure that it is shared over the protocols that you will be using (AFP, SMB, WebDav), and then after selecting these values, check the box that allows the folder to be used as a home directory at the bottom of this list.  This box will be greyed out if the system is not already bound to an OpenDirectory. If you have activated OpenDirectory on the same machine, the machine will operate as if bound to itself, and this field will be active.  If the FileShare server is NOT an OpenDirectory master or replica, then bind the machine to an OpenDirectory via the "System Preferences > Users & Groups > Login Options".
If the local area network has FileShares that are enabled for home directory use, the folders will appear in the User Profile editor under the Home Folder list (See image)
In the screenshot above, I have selected a shared directory named "HomeFolders".  By using specially defined home folder directory, the server administrator has the option of deleting and modifying the home folder if necessary.  Creating a home folder directory in a location other than "/Users" is the recommended best practice by Apple Support.
If you are inserting files into the home folders, you will need to change the owner and the group to the new owners names.  I copied files from the old user directories into the new user directories so that the users would have access to their old files.  When my OpenDirectory crashed, and all the users were recreated, they were recreated with different system level user id's.  The system therefore maintains a memory that the file was owned by the original owner, even though the system administrator has put it in the new user profile's folder.  To fix this, do the following:
1. Prior to making the copy, run "ls -al" from the terminal on the new home directory root.  You are looking for the default folder owner and default folder group.  On my system it was the user name and a group named "staff".
2. When making the copy, do not replace the user folder. Copy the files into the file folder, not over it.
3. After you have moved files into the user's folders, you can use "sudo chown -R [owner]:[group] [homeFolderPath]/*" and "sudo chmod -R 700 [homeFolderPath]/*" (replace the [owner] and [group] portions of these commands with the owners and groups identified by the command in step 1, and replace [homeFolderPath] with a path to the user directory created for the specific user.
For example:
For the user johnnybgood, we might see the following:
1. We run "ls -al" on the newly created home folder and find that the folder /Volumes/HomeFolders/johnnybgood is owned by johnnybgood and the group "staff".
2. We copy or move files from the old locations using commands similar to the following:
       sudo mv /OldFolderLocation/johnnybgood/Documents/* /Volumes/HomeFolders/johnnybgood/Documents
       sudo mv /OldFolderLocation/johnnybgood/Desktop/* /Volumes/HomeFolders/johnnybgood/Desktop
       sudo mv /OldFolderLocation/johnnybgood/Music/* /Volumes/HomeFolders/johnnybgood/Music
       ....etc....
       (notice how we are not just moving the old johnnybgood folder to the new location.)
3. Next, we change the ownership and file permissions:
       sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Documents
       sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Desktop
       sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Music
       ...etc...
       sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Documents
       sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Desktop
       sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Music
       ...etc...
4. Let the user log in and use the system normally.

Similar Messages

  • Have upgraded to 6.0.2 on my MacBook and get error message "Server Not Found" everytime i use Firefox; however, if i then click on my Gmail or other sites from bookmark toolbar it connects. means an extra step and that never happened before

    when i first click on Firefox the URL: www.27yhbnhy6tfgvrbcfre3.com shows up and the error message "Server not Found". but i can connect to any website by just clicking on a bookmark from the toolbar (or typing in a url). this never happened with previous versions of Firefox

    A possible cause is security software (firewall) that blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
    Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process and the updater process.
    See:
    * https://support.mozilla.com/kb/Server+not+found
    * https://support.mozilla.com/kb/Firewalls
    Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
    *Don't make any changes on the Safe mode start window.
    *https://support.mozilla.com/kb/Safe+Mode

  • Constantly keep getting error 404, server not found

    Very frequently I keep getting the error message 404, server not found. This problem mainly comes up after I have been on the computer for a while, and I leave the web site that I'm viewing on for some time. I then return to the computer some time later, and when I try to refresh the page to update the info on the page (example: a weather site or yahoo stock market info) I keep getting, 404 server not found. When I try the option: try again, it does nothing to solve the constant problem. The only way I can get back to the web site and see updated info is to start firefox in safe mode. And, that does solve the problem. But why does this problem keep constantly occurring. And, why do I have to constantly have to restart firefox in safe mode to get going again. It would seem firefox should recognize this issue and solve it. I'm using what I believe to be the latest version, 15. Can someone shed some light on this issue? I did not have this problem with my older computer and an old version of firefox, version 3.6. But, since getting a new computer and using a new version of firefox, version 15, this problem constantly appears. Can some one help? Thank you.

    Which security software (firewall, anti-virus) do you have?
    A possible cause is security software (firewall,anti-virus) that blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
    Remove all rules for Firefox and the plugin-container from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process and the updater process.
    See:
    *https://support.mozilla.org/kb/Server+not+found
    *https://support.mozilla.org/kb/Firewalls
    Do a malware check with some malware scanning programs on the Windows computer.<br />
    You need to scan with all programs because each program detects different malware.
    Make sure that you update each program to get the latest version of their databases before doing a scan.
    *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
    *SuperAntispyware:<br>http://www.superantispyware.com/
    *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
    *Windows Defender: Home Page:<br>http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
    *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
    *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
    You can also do a check for a rootkit infection with TDSSKiller.
    *http://support.kaspersky.com/viruses/solutions?qid=208280684
    See also:
    *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked

  • I keep getting error messages "server not found " but when I press "try again" the page loads immediately, you know why ? thanks

    I´ve checked the wireless and internet connections and they work perfectly. I belive thas has something to do with the browser. I work with a Mac Book 2.1 ghz and Mac OS 10.5.8 .Thanks for all your help.

    check out this article: [http://support.mozilla.com/en-US/kb/server%20not%20found Server not Found]

  • Why the hell do I keep getting this friggin' error msg"Server not found Firefox can't find the server at .................." ?

    Done all suggestions in online help (windows firewall settings, updates, ect.) No problem with IE8 with same webpages.

    I'm looking for a solution for the "Server Not Found message I keep getting repeatedly, and this thread does not provide a solution.
    However, I had to sign in to say that the "Reset Firefox" feature should never be presented as a first solution to any problem. It's a last resort, not first resort. Doing so is lazy thinking and reckless, especially when dealing with users who may be newbies or inexperienced, or who may not read instructions so carefully and understand the ramifications of wiping their settings and customizations.
    There are plenty of articles and Knowledge Base entries that touch upon this user's problem, so why wasn't he directed to those, or at least the invariable "Open in safe Mode", before suggesting such a drastic "solution"?

  • I get error message, server not found every time I use Firefox browser

    Every time I open FireFox I get this message, server not found, can't find the server at www.s.com How do I get rid of that message? Thanks.

    See:
    *https://support.mozilla.com/kb/Server+not+found
    *https://support.mozilla.com/kb/Firewalls

  • I get the error messages: "Server not found" or "Cannot connect to Server" and thus cannot print. I don't even know what a server is.

    Hello: I am not computer savvy.
    I have run "Network Diagnostics" and the message "Cannot connect to Server" comes up. I can connect to the internet. I have tried turning off the whole system and the printer individually and nothing seems to change the message.

    hello,
    i got the same issue i'm using kde the link abe for "Adding a login manager (KDM, GDM, or XDM) to automatically boot on startup" guide is dead
    arkham wrote:Have you tried the inittab approach for starting kdm? http://wiki.archlinux.org/index.php/Add … tab_Method
    could you help me please ?
    Thank you
    Last edited by hael (2012-05-05 08:57:44)

  • I keep getting error message file not found 404 when I attempt to combine files

    I have used the adobe cloud many times to combine files, today it is not working. Just keep getting error message.
    Please advise!
    Thanks,

    Hi iabrad,
    I'm sorry to hear that you're running into problems with the Acrobat.com website today. Let's start with this:
    Log out, clear the browser cache, and try logging in to https://cloud.acrobat.com/combinepdf
    Try a different web browser. For a list of supported browsers, see System requirements | Acrobat.com
    If that doesn't do the trick, let us know (and please tell us what browser/OS you're using, and if the error occurs regardless of what files you try to combine--if you even get the far in the process!).
    Best,
    Sara

  • N95 8GB WLAN PROBLEM (SERVER NOT FOUND)

    HI, just got my new n95 8gb and tried connecting it to my home network,i find the access point and define the access point but when i try start web browsing i get error mesage "server not found".
    any ideas anyone?

    That error message tells that your phone can't connect to a DNS. There are lots of causes for that & one is if your WIFI been configured with hardware address fitlering as a security measure. Try if you could put the primary DNS & Secondary in the configuration of your phone & check if it will work.
    Knowledge not shared is knowledge wasted!
    If you find it helpfull, it's not hard to click the STAR..

  • Firefox periodically shows "server not found" message for Verizon/Yahoo email. Often self corrects in 5 to 10 minutes ?

    System is Windows VISTA. While on Verizon/Yahoo mail Firefox will lose the connection and shoe a "server not found" message. Explorer will connect with no problem to the email server. The problem self corrects with in 5 or 10 minutes but this may happen 5 or 6 time in a day.
    Is this a Firefox problem with proxy access. Settings appear to be the same.

    i forgot to mention , that when i striped this machine back down to 10.3.7 and before i re built i did do a hardware check with the original install Disks [3] and every thing came back clean.
    the weird ness with the colors on window, if i pass a app like text edit over the area , the color will not cover the app but stay in the background.
    when i first saw this color thing i had the preference pane out and was moving it around on screen and the colors were bleeding off of the preference pane onto the screen.
    if you have any idea as to what is going on here let me know.
    thank you

  • Firefox opens websites when hard wired to router, but when using wireless I get a server not found message.

    Firefox (3.6.10) opens websites when hard wired to router, but when using wireless I get message: SERVER NOT FOUND FIREFOX CAN'T FIND THE SERVER AT SEARCH.AVG.COM. My homepage is http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official. My anti-virus is AVG free 8.5.448. What can cause this?
    If Work Offline is checked in Firefox File, I can get to Google search site. When I un-check it I still get the Server Not Found message

    Did you check the connection settings?
    *Tools > Options > Advanced > Network : Connection > Settings
    *https://support.mozilla.org/kb/Options+window+-+Advanced+panel
    If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.
    See "Firefox connection settings":
    *https://support.mozilla.org/kb/Firefox+cannot+load+websites+but+other+programs+can

  • My mac says "Server Not Found"

    Ok so I hooked up my IMAC G3 to the internet through an ethernet cable and it does not work. When I start Explorer it says Server not found. When I go to the network connections, it shows the IP address and all the info. Please someone let me know what's going on.

    It should still work for at least connecting, but it is possible installing a more recent browser will help.
    The old Mozilla suite should work, and would probably be the best bet for Mac OS X 10.1.x
    http://www-archive.mozilla.org/products/mozilla1.x/sysreq.html
    Also, make sure you have installed 10.1.5 (I believe that's the latest update for that release).

  • GSSAPI Error: Server not found in Kerberos database

    Hi all
    For about 3 days I'm now seeing this error message in system.log every 3 minutes:
    DirectoryService: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
    This happens on a fileserver which is connected to an OD server.
    I did a search in this forum and found one thread about it. The advice there was to look in kdc.log to see which principal is failing - but I don't have a kdc.log. The other tip was to use kadmin to get a list of the principals by using
    kadmin.local -q listprincs
    but what I get instead of this list is:
    Authenticating as principal xyz/[email protected] with password.
    kadmin.local: No such file or directory while initializing kadmin.local interface
    It seems that some file is missing, which would explain why DirectoryService can't find the server in the database... I have to confess that I have no idea as to how Kerberos works or how to configure it.
    Authentication against the OD server is working fine, it's just that the errors in the log are getting on my nerves, and they make it difficult to find other, more important messages in system.log.
    Thankas, Tina

    Ah, I see, the kdc.log is on the OD server, not on
    the file server where I was looking for it.
    OK, in the kdc logfile I have a lot of entries like
    these ones:
    Kerberos is an auth system where the user authenticates to the kdc and is issued a TGT (Ticket Granting Ticket). The user then presents their TGT and a service principal (Kerberos name of a server) to the kdc to get a service ticket. The user then sends the service ticket to the server who lets the user in.
    Some interpretation:
    Mar 22 09:18:35 zool09.abc.xy krb5kdc[218](info):
    TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.23:
    UNKNOWN_SERVER: authtime 1143003387,
    [email protected] for krbtgt/[email protected],
    Server not found in Kerberos database
    This (TGS_REQ) is request for a service ticket from 130.60.23.23 using the
    TGT owned by [email protected], to get a service ticket for
    krbtgt/[email protected]. It looks like krbtgt/[email protected] is not in your kdc's database. This looks like a cross realm request.
    If you are also connected to an active directory system you might see something like this.
    Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
    AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
    NEEDED_PREAUTH: [email protected] for
    krbtgt/[email protected], Additional
    pre-authentication required
    Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
    AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
    ISSUE: authtime 1143015560, etypes {rep=16 tkt=16
    ses=16}, [email protected] for
    krbtgt/[email protected]
    The AS_REQ's above are the two step authentication process for user [email protected] from 130.60.23.11.
    Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
    TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
    UNKNOWN_SERVER: authtime 1143001370,
    [email protected] for
    krbtgt/[email protected], Server not
    found in Kerberos database
    This is another service ticket request. Though the requested service principal looks malformed, I would look for something misconfigured on 130.60.23.11.
    Possibly watch what user zds01 is doing during login to get some idea of what's going on.
    Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
    TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
    UNKNOWN_SERVER: authtime 1143001370,
    [email protected] for
    krbtgt/[email protected], Server not found
    in Kerberos database
    Same as above.
    What do they mean? I didn't set up Kerberos
    authentication, I think I don't need it, is there any
    way to disable it? Or am I using it without knowing
    it??
    When you set up the OD Master, a kdc & the needed files were set up to allow single sign on to all the kerberized services in the system.
    - see if you have an
    /Library/Preferences/edu.mit.Kerberos file
    - Also look for an /etc/krb5.keytab file
    Yes, I have both of them.
    kadmin.local -q listprincs on the OD server gives me
    a long list of computers, users and services like
    this:
    I don't know what these all mean... could you give me
    a brief explanation?
    [email protected]
    When you create a computer record in Workgroup Manager a generic principal name is added to the kdc for that computer. It is related to the host/computer_name@REALM service principal for servers.
    [email protected]
    This is a user principal (this is the account name for the user in the Kerberos system) Sometimes you will see user/admin@REALM.
    afpserver/[email protected]
    This is a service principal. They usually are in the form servicetype/server_dnsname@REALM
    One of the things that Kerberos is very sensitive to is correct DNS configuration. You need to have both forward (name -> IP) and reverse (IP -> name) DNS set up for all the servers in your realm.
    Hope this helps
    - Leland
    DP G4   Mac OS X (10.4.5)  

  • Server not found in Kerberos database (7)

    Hi!
    Running the examples from
    http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab
    works fine for me as long as I use the Kerberos test realm I have set up on a unix machine. But when I run the same classes against our Active Directory, the client spills a stacktrace, indicating that AD can not find the server in its database. But it actually is in that database, as the sample server can perfectly authenticate as exactly that principal!
    Enabling all security related debug info i could find, this is the client dump:
    $ java -Djava.security.auth.login.config=jaas-krb5.conf
         -Djava.security.krb5.kdc=##KDC##
         -Djava.security.krb5.realm=##REALM##
         -Dsun.security.jgss.debug=true
         -Dsun.security.krb5.debug=true
         -Djava.security.debug="logincontext,policy,scl,gssloginconfig"
         GssClient host ##SERVER##
    scl:  getPermissions ProtectionDomain  (file:/xxxxx/ <no signer certificates>)
    sun.misc.Launcher$AppClassLoader@11b86e7
    <no principals>
    java.security.Permissions@1a46e30 (
    (java.io.FilePermission \xxxxx\- read)
    (java.lang.RuntimePermission exitVM)
    scl:
    Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is nu
    ll isInitiator true KeyTab is null refreshKrb5Config is false principal is xxxxx tryFirstPass is tru
    e useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    KinitOptions cache name is C:\xxxxxAcquire default native Credentials
    Obtained TGT from LSA: Credentials:
    client=##USER##@##REALM##
    server=krbtgt/##REALM##@##REALM##
    authTime=20070705103930Z
    startTime=20070705103930Z
    endTime=20070705203930Z
    renewTill=20070712103930Z
    flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
    EType (int): 23
    Principal is ##USER##@##REALM##
                    [Krb5LoginModule] authentication succeeded
            [LoginContext]: login success
    Commit Succeeded
            [LoginContext]: commit success
    Authenticated principal: [##USER##@##REALM##]
    Connected to address ##SERVER##/xxxxx
    xxxxx
    create server name with host@##SERVER##
    Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
    Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
    05 20:39:30 GMT 2007
    Entered Krb5Context.initSecContext with state=STATE_NEW
    Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
    05 20:39:30 GMT 2007
    Service ticket not found in the subject
    Credentials acquireServiceCreds: same realmUsing builtin default etypes for default_tgs_enctypes
    default etypes for default_tgs_enctypes: 3 1 23 16 17.
    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    KrbKdcReq send: kdc=##KDC## UDP:88, timeout=30000, number of retries =3, #bytes=1328
    KDCCommunication: kdc=##KDC## UDP:88, timeout=30000,Attempt =1, #bytes=1328
    KrbKdcReq send: #bytes read=101
    KrbKdcReq send: #bytes read=101
    KDCRep: init() encoding tag is 126 req type is 13
    KRBError:         sTime is Thu Jul 05 14:43:05 GMT 2007 1183646585000
             suSec is 487997
             error code is 7
             error Message is Server not found in Kerberos database
             realm is ##REALM##
             sname is host/##SERVER##
             msgType is 30
    KrbException: Server not found in Kerberos database (7)
            at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
            at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
            at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
            at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
            at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
            at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
            at GssClient$GssClientAction.run(GssClient.java:171)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Unknown Source)
            at Jaas.loginAndAction(Jaas.java:94)
            at GssClient.main(GssClient.java:97)
    Caused by: KrbException: Identifier doesn't match expected value (906)
            at sun.security.krb5.internal.KDCRep.init(Unknown Source)
            at sun.security.krb5.internal.TGSRep.init(Unknown Source)
            at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
            ... 13 more
    Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentia
    ls provided (Mechanism level: Server not found in Kerberos database (7))
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Unknown Source)
            at Jaas.loginAndAction(Jaas.java:94)
            at GssClient.main(GssClient.java:97)
    Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerbero
    s database (7))
            at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
            at GssClient$GssClientAction.run(GssClient.java:171)
            ... 4 more
    Caused by: KrbException: Server not found in Kerberos database (7)
            at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
            at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
            at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
            at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
            at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
            ... 8 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
            at sun.security.krb5.internal.KDCRep.init(Unknown Source)
            at sun.security.krb5.internal.TGSRep.init(Unknown Source)
            at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
            ... 13 moreWhy's AD claiming in the KRBError that it can't find a sname/realm which exactly matches the principal it accepted for the server? This totally confuses me! Can please anyone bring some light?
    Regards

    It works now!!!
    The exact procedure is:
    - Create a new user in AD with an arbitrary name <username>. Use the same name in "User Logon Name", "User Logon Name (pre Win2K)" and "First Name" (odd, isn't it).
    - Set the password, deactivate "User has to change the password at first logon", and activate "Password never expires"
    - Create a mapping for the service name by entering into the command line: ktpass -princ "<protocol>/<fqdn>@<realm>" -mapuser "<username>@<realm>" -pass "*" -out dummy.keytab
    - Check that the mapping is set and unique; use adsiedit.msc (Windows Support Tools).
    - Now you can use the Java tool ktab to create your own keytab as usual and go.
    But it is a science in its own right to correctly configure an Active Directory , especially for use with Kerberos. In particular error messages are hardly useful (as it is generally the case in the Kerberos world). It may help to read:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&DisplayLang=en
    and
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
    Have fun!

  • SSO2 Error = ERROR: PSE not found in database

    Hello Gurus,
    Need your help.
    In SS02 in the directory below SAPSSO2000.pse is incorrect. This should point to /usr/sap/MQW/DVEBMGS04/sec/SAPSYS.pse and I am not sure how to correct it. Do I need to maintain a profile to do this.
    Certificate List
    The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
    /usr/sap/MQW/DVEBMGS04/sec/SAPSSO2000.pse
    As a remedy, i have created a soft link so it will still point to SAPSYS.pse but I am still having an error below.
    Application server PSE:
    ID:           CN=MPW
    Namespace:
    Profiles:     /usr/sap/MQW/DVEBMGS04/sec/SAPSSO2000.pse
    OK: file available, length:      4.033
    ERROR: PSE not found in database
    Can anyone advise me what to do please? Thanks in advance!
    Rachelle

    Hi,
    Is environment variable SECUDIR set ?
    Thanks
    Sunny

Maybe you are looking for