Step 1: Verify Kerberos Configuration in AppManager
Step 2: Check Hostname and Domain
Step 3: Verify Service Principal Name (SPN) Configuration
Step 4: Check krb5.ini Configuration
Step 5: Ensure System Clock Synchronization
Step 6: Check Ticket Cache (if applicable)
Step 7: Collect required details if the Issue Persists
Step 8: Common Error Cases and Troubleshooting Steps
Step 1: Verify Kerberos Configuration in AppManager
Ensure Kerberos is configured in AppManager as per the KB.
Step 2: Check Hostname and Domain
Verify the hostname and domain
Host name should be entered as Fully Qualified Domain Name (for example : mssql-kerberos-dc1.mssqlkerberos.com)
Have they used the FQDN of the hostname
Make sure the FQDN is resolvable by the DNS Server.
nslookup <SQL Server FQDN>
Eg : nslookup mssql-kerberos-dc1.mssqlkerberos.com
Step 3: Verify Service Principal Name (SPN) Configuration
Verify the servicePrincipalName(SPN Configuration)
Run the below command on the SQL Server installed machine by replacing the domain name and the SQL Server FQDN
setspn -T <Domain_Name> -F -Q MSSQLSvc/<SQL_Server_FQDN>*
<Domain_Name> is replaced with the domain name of your environment.
<SQL_Server_FQDN> is replaced with the FQDN of SQL Server.
Step 4: Check krb5.ini Configuration
verify krb5.ini file
Download the Correct krb5.ini File: Choose the appropriate krb5.ini file based on your domain setup:
Single Domain Environment: krb5_file_for_single_domain_environment.zip
Cross Domain Environment: krb5_file_for_cross_domain_environment.zip
Replace with xxx with the DOMAIN NAME in Capital letter
Set kdc and admin_server to the Active Directory controller FQDN.
Step 5: Ensure System Clock Synchronization
Verify the system clock
You must make sure the system clocks on the domain controller, SQL Server, and appmanager computer are synchronized. With Kerberos, the maximum allowable clock skew is five minutes by default.
Step 6: Check Ticket Cache (if applicable)
If they are using the ticketcache, ask him to check the validity of it by executing klist command from appmanager
Navigate to <APM_HOME>/working/jre/bin
klist -l username@domainname
Eg: klist -l Administrator@APMKERBEROS.COM
Step 7: Common Error Cases and Troubleshooting Steps
GSS Failed:No valid credentials provided (Mechanism level:Attempt to obtain new INITIATE credentials failed! (null)
I/O Error:GSS Failed:Invalid name provided (Mechanism level:KrbException: Cannot locate default realm)
I/O Error:GSS Failed:No valid credentials provided (Mechanism level: Fail to createcredential.(63)-Noservice creds)
Verify if a Kerberos ticket exists (use the klist command).
Ensure SPN (Service Principal Name) is correctly configured for SQL Server.
Ensure the krb5.ini file contains the correct REALM and KDC entries.
Step 8: Collect required details if the Issue Persists
If the issue persist, collect the following files from AppManager:
Enable Kerberos Debug Logging:
Add the below line in wrapper.conf file present under AppManager_HOME>\working\conf
wrapper.java.additional.33=-Dsun.security.krb5.debug=true
Restart the appmanager and try to add the MS SQL using the kerberos configuration and generate log
Share the proof for above configuration has been done properly with proper screenshot
SPN verification output (setspn command)
DNS resolution (nslookup command)
Kerberos ticket (klist command)
System clock synchronization status
Added debug line in wrapper.conf
Share below files from appmanager
File | Location |
database_params.conf | APM_HOME/working/conf |
java.security | APM_HOME/working/jre/lib/security/ |
krb5.ini | APM_HOME/working/conf/KerberosConfigurations/ |
login.conf | APM_HOME/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/ |
wrapper.conf | APM_HOME/working/conf |