SQL Server Kerberos Configuration Troubleshooting Guide

SQL Server Kerberos Configuration Troubleshooting Guide

Step 1: Verify Kerberos Configuration in AppManager  

Step 2: Check Hostname and Domain  

         Step 3: Verify Service Principal Name (SPN) Configuration  

Step 4: Check krb5.ini Configuration  

Step 5: Ensure System Clock Synchronization  

Step 6: Check Ticket Cache (if applicable)  

  Step 7: Collect required details if the Issue Persists  

Step 8: Common Error Cases and Troubleshooting Steps

 

Step 1: Verify Kerberos Configuration in AppManager  

  • Ensure Kerberos is configured in AppManager as per the KB.

 

Step 2: Check Hostname and Domain  

  • Verify the hostname and domain

    • Host name should be entered as Fully Qualified Domain Name (for example : mssql-kerberos-dc1.mssqlkerberos.com)

    • Have they used the FQDN of the hostname

    • Make sure the FQDN is resolvable by the DNS Server.

      • nslookup <SQL Server FQDN>

      • Eg : nslookup mssql-kerberos-dc1.mssqlkerberos.com

 

 

Step 3: Verify Service Principal Name (SPN) Configuration  

  • Verify the servicePrincipalName(SPN Configuration)

    • Run the below command on the SQL Server installed machine by replacing the domain name and the SQL Server FQDN

    • setspn -T <Domain_Name> -F -Q MSSQLSvc/<SQL_Server_FQDN>*

      • <Domain_Name> is replaced with the domain name of your environment.

      • <SQL_Server_FQDN> is replaced with the FQDN of SQL Server.

 

Step 4: Check krb5.ini Configuration  

verify krb5.ini file

    • Download the Correct krb5.ini File: Choose the appropriate krb5.ini file based on your domain setup:

      • Single Domain Environment: krb5_file_for_single_domain_environment.zip

      • Cross Domain Environment: krb5_file_for_cross_domain_environment.zip

    • Replace with xxx with the DOMAIN NAME in Capital letter

    • Set kdc and admin_server to the Active Directory controller FQDN.

 

Step 5: Ensure System Clock Synchronization  

  • Verify the system clock

    • You must make sure the system clocks on the domain controller, SQL Server, and appmanager computer are synchronized. With Kerberos, the maximum allowable clock skew is five minutes by default.

 

Step 6: Check Ticket Cache (if applicable)  

  • If they are using the ticketcache, ask him to check the validity of it by executing klist command from appmanager

Step 7: Common Error Cases and Troubleshooting Steps

  1. GSS Failed:No valid credentials provided (Mechanism level:Attempt to obtain new INITIATE credentials failed! (null)

  2. I/O Error:GSS Failed:Invalid name provided (Mechanism level:KrbException: Cannot locate default realm)

  3. I/O Error:GSS Failed:No valid credentials provided (Mechanism level: Fail to createcredential.(63)-Noservice creds)

    1. Verify if a Kerberos ticket exists (use the klist command).

    2. Ensure SPN (Service Principal Name) is correctly configured for SQL Server.

    3. Ensure the krb5.ini file contains the correct REALM and KDC entries.

 

Step 8: Collect required details if the Issue Persists  

  • If the issue persist, collect the following files from AppManager:

  • Enable Kerberos Debug Logging:

    • Add the below line in wrapper.conf file present under AppManager_HOME>\working\conf

    • wrapper.java.additional.33=-Dsun.security.krb5.debug=true

  • Restart the appmanager and try to add the MS SQL using the kerberos configuration and generate log

  • Share the proof for above configuration has been done properly with proper screenshot

    • SPN verification output (setspn command)

    • DNS resolution (nslookup command)

    • Kerberos ticket (klist command)

    • System clock synchronization status

    • Added debug line in wrapper.conf

  • Share below files from appmanager

File

Location

database_params.conf

APM_HOME/working/conf

java.security

APM_HOME/working/jre/lib/security/

krb5.ini

APM_HOME/working/conf/KerberosConfigurations/

login.conf

APM_HOME/working/conf/KerberosConfigurations/MSSQL/MicrosoftJDBCDriver/

wrapper.conf

APM_HOME/working/conf

                  New to ADSelfService Plus?

                    • Related Articles

                    • Mail Server Monitor - Troubleshooting

                      Common Mail Server Monitor Errors and Troubleshooting Guide 1. Unknown Host Error Description: This error occurs when the mail client cannot resolve the hostname of the mail server to an IP address. The issue typically arises from DNS resolution ...
                    • Real User Monitor (RUM) - Troubleshooting

                      If the monitor has not polled data for a long time, follow the below steps for troubleshooting. Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer this help ...
                    • Enabling Kerberos Authentication for SQL Server in Applications Manager

                      I. How to implement Kerberos Authentication for Applications Manager's MS SQL Back-End Database? 1. Stop Applications Manager service. Open Applications Manager's home directory in the command prompt and run the below commands one by one: For Windows ...
                    • DNS Monitor - Troubleshooting

                      Common DNS Monitor Errors and Troubleshooting Guide 1. Host Not Found Description: The DNS server was unable to locate the requested lookup address. Possible Causes: This may happen if the hostname is incorrect, the domain does not exist, or there is ...
                    • How to resolve 403 Forbidden error when accessing Apache Server-status Page?

                      If you are receiving a 403 Forbidden error when trying to access the Apache server-status page, it's likely due to missing or incorrect configurations in your Apache server settings. The server-status page provides valuable information for monitoring ...