You can translate the question and the replies:

Kerberos Single Sign-On with System Ticket Cache Not Working

Hello, I am facing some issues with the Kerberos authentication. I'm able to connect to our Denodo server using both the **user/password** and **keytab** approaches, but somehow the **Use Single Sign-On with system ticket cache** option returns **Error authenticating client with kerberos: Unable to obtain Principal Name for authentication** on the login page and in the admin logs. What's strange is that it was working a couple of weeks ago, but one day it just decided to not work anymore. I need this option to work because I'm also connecting to Denodo in Tableau Desktop, which seems to require Kerberos to sign in. I'd really appreciate any pointers on this or just whatever approach I could possibly test out! Please do not hesitate to let me know if any additional info is needed on my end as well. FYI, I'm using Denodo in MacOS, and if it helps, my krb5 files are stored in /etc/krb5.conf and /etc/krb5.keytab. Thank you so much!
user
28-03-2022 11:38:12 -0400
code

9 Answers

Hi, The ‘Unable to obtain Principal Name for authentication’ usually points to issues with krb5.ini file configuration, which is specific to Windows. Please refer to the Knowledge base article [Configure Kerberos in client Denodo Administration Tool](https://community.denodo.com/kb/en/view/document/Kerberizing%20Denodo%20for%20SSO%20-%20Step%20by%20step%20guide%20-%20Clients%20Configuration%20%28IV%29#h.jxenswvwstc5). However, krb5.ini is a copy of the **krb5.conf** file, so as a first step I would suggest you check if the krb5.conf file is configured correctly. Please refer to the Knowledge base article [Preparing Kerberos configuration file](https://community.denodo.com/kb/en/view/document/Kerberizing%20Denodo%20for%20SSO%20-%20Step%20by%20step%20guide%20-%20Server%20Configuration%20%28III%29#h.jgxu6zl9wubo). Apart from configuration issues, **ticket expiry** can also be an issue in this scenario. To troubleshoot this, I would make use of the 'Terminal' commands such as **klist** and **kinit** present in Kerberos /usr/bin folder. * Check if the ticket has expired from the ticket cache: * Execute ‘**klist**’ command * It should result in the ticket details such as ‘Service Principal name’, ‘valid start date’ & ‘expiry date’. * If it results ‘No credentials cache found’, then it means the stored ticket is expired * List the contents of keytab file to check the Service Principal name: * Execute ‘**klist -kt /etc/krb5.keytab**’ * It would result the principal name * Renew Kerberos ticket using ‘kinit’ command specified with keytab file & principal name: * Execute ‘**kinit -kt /etc/krb5.keytab <principal name>**’ * Check if the ticket in present in ticker cache: * Execute ‘**klist**’ command * Now the added ticket should appear with a renewed expiry date. * Then try to login again with ‘Use SSO with system ticket cache' option. You can utilize the ‘Ticket viewer’ present in /System/Library/CoreServices folder, to view ticket details graphically. Furthermore, you can enable the ‘**Activate Kerberos debug mode**’ option in ‘Admin Tool Preferences -> Authentication -> Kerberos Authentication’ to log detailed information in vdp-admin.log for troubleshooting. Hope this helps!
Denodo Team
29-03-2022 08:06:25 -0400
code
Thanks for your response! Renewing the ticket without specifying the keytab (`kinit <principal name>`) works fine, and the keytab and krb5.conf both look normal to me. However, when I run `kinit -kt /etc/krb5.keytab <principal name>`, it returns **kinit: Pre-authentication failed: Invalid argument while getting initial credentials**. May I ask what the issue might be in this case? Thank you!
user
29-03-2022 09:23:38 -0400
Hi, The ‘kinit -kt /etc/krb5.keytab <principal name>’ could be specific to Windows/Linux. In the case of MacOS, I expect ‘**kinit <principal name>**’ to work as expected to renew Kerberos ticket. Once it is done, I would verify it by executing the ‘klist’ command. In an ideal scenario, it should display the principal name with a new expiry date. Then try to login again with ‘Use SSO with system ticket cache’. Hope this helps!
Denodo Team
30-03-2022 07:49:28 -0400
code
Hi, The problem is that kinit and klist seem to be returning the right things, but I still get stuck if I use SSO with system ticket cache to log in Denodo. FYR, klist returns the following info when I renew my ticket with *kinit <principal name>*: 1. Ticket cache 2. Default principal 3. Valid starting 4. Expires 5. Service principal 6. Renew until Does this seem right to you? Or do I need to take any additional steps to set up my keytab? I tried using ktutil to add new principal name entries but that didn't seem to work either. I know it might be hard to identify the exact problem from my descriptions, but I'd greatly appreciate if you could offer some stuff that I could test out first. Thank you!
user
30-03-2022 09:59:17 -0400
Hi, The information listed by ‘klist’ looks good and It should work fine in an ideal scenario. Though Denodo does not support MacOS officially, Kerberos authentication should work fine with the suggested steps. As a last step, I would enable the ‘**Activate Kerberos debug mode**’ option in ‘Admin Tool Preferences -> Authentication -> Kerberos Authentication’ and look for vdp-admin.log entries that could be helpful in troubleshooting the issue. Please refer to the [Kerberos Debug Mode](https://community.denodo.com/kb/en/view/document/Kerberos%20configuration%20and%20troubleshooting#h.ytygsurk2ol5) section of the Knowledge Base article ‘Kerberos configuration and troubleshooting’ for detailed information. Hope this helps!
Denodo Team
31-03-2022 09:21:47 -0400
code
Hi, I did check the admin logs before, but I wasn't able to find a direct answer for my error in the article that you've attached. It seems to me the main error that I'm running into is "Found no TGT's in LSA", which leads to "Principal is null" and "null credentials from Ticket Cache" errors, but I'm not certain about this. I've attached the error image below as well. ![](https://imgur.com/a/ayPHqoY) Please let me know if you have any thoughts on why this is occurring. Thank you so much!
user
31-03-2022 14:08:03 -0400
![](https://i.imgur.com/5KKo2Iw.png)
user
31-03-2022 14:10:15 -0400
The insert image function doesn't seem to be working, but you'll find the image here: https://i.imgur.com/5KKo2Iw.png. Thanks again!
user
31-03-2022 14:11:33 -0400
Hi, The error ‘Found no TGT’s in LSA’ suggests that the ticket granting ticket cannot be found in the ticket cache. This could be due to issues in krb5.conf and/or krb5.keytab file(s). In this case, I would try **regenerating the keytab** file again to check if that makes any difference. If you still need help and if you are a valid Support user, then please raise a Support case at [Denodo Support Site](https://support.denodo.com/) so that our Support Team will help you resolve this issue. Hope this helps!
Denodo Team
01-04-2022 08:10:33 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here