Step 1: Verify Kerberos Configuration in AppManager  

Step 2: Check Hostname and Domain  

         Step 3: Verify Service Principal Name (SPN) Configuration  

Step 4: Check krb5.ini Configuration  

Step 5: Ensure System Clock Synchronization  

Step 6: Check Ticket Cache (if applicable)  

  Step 7: Collect required details if the Issue Persists  

Step 8: Common Error Cases and Troubleshooting Steps

Step 1: Verify Kerberos Configuration in AppManager  

• Ensure Kerberos is configured in AppManager as per the KB.

Step 2: Check Hostname and Domain  

• Verify the hostname and domain

• Host name should be entered as Fully Qualified Domain Name (for example : mssql-kerberos-dc1.mssqlkerberos.com)

• Have they used the FQDN of the hostname

• Make sure the FQDN is resolvable by the DNS Server.

• nslookup <SQL Server FQDN>

• Eg : nslookup mssql-kerberos-dc1.mssqlkerberos.com

Step 3: Verify Service Principal Name (SPN) Configuration  

• Verify the servicePrincipalName(SPN Configuration)

• Run the below command on the SQL Server installed machine by replacing the domain name and the SQL Server FQDN

• setspn -T <Domain_Name> -F -Q MSSQLSvc/<SQL_Server_FQDN>*

• <Domain_Name> is replaced with the domain name of your environment.

• <SQL_Server_FQDN> is replaced with the FQDN of SQL Server.

• 

Step 4: Check krb5.ini Configuration  

verify krb5.ini file

• Download the Correct krb5.ini File: Choose the appropriate krb5.ini file based on your domain setup:

• Single Domain Environment: krb5_file_for_single_domain_environment.zip

• Cross Domain Environment: krb5_file_for_cross_domain_environment.zip

• Replace with xxx with the DOMAIN NAME in Capital letter

• Set kdc and admin_server to the Active Directory controller FQDN.

Step 5: Ensure System Clock Synchronization  

• Verify the system clock

• You must make sure the system clocks on the domain controller, SQL Server, and appmanager computer are synchronized. With Kerberos, the maximum allowable clock skew is five minutes by default.

Step 6: Check Ticket Cache (if applicable)  

• If they are using the ticketcache, ask him to check the validity of it by executing klist command from appmanager

• Navigate to <APM_HOME>/working/jre/bin

• klist -l username@domainname

• Eg: klist -l Administrator@APMKERBEROS.COM

Step 7: Common Error Cases and Troubleshooting Steps

1. GSS Failed:No valid credentials provided (Mechanism level:Attempt to obtain new INITIATE credentials failed! (null)

2. I/O Error:GSS Failed:Invalid name provided (Mechanism level:KrbException: Cannot locate default realm)

3. I/O Error:GSS Failed:No valid credentials provided (Mechanism level: Fail to createcredential.(63)-Noservice creds)

1. Verify if a Kerberos ticket exists (use the klist command).

2. Ensure SPN (Service Principal Name) is correctly configured for SQL Server.

3. Ensure the krb5.ini file contains the correct REALM and KDC entries.

Step 8: Collect required details if the Issue Persists  

• If the issue persist, collect the following files from AppManager:

• Enable Kerberos Debug Logging:

• Add the below line in wrapper.conf file present under AppManager_HOME>\working\conf

• wrapper.java.additional.33=-Dsun.security.krb5.debug=true

• Restart the appmanager and try to add the MS SQL using the kerberos configuration and generate log

• Share the proof for above configuration has been done properly with proper screenshot

• SPN verification output (setspn command)

• DNS resolution (nslookup command)

• Kerberos ticket (klist command)

• System clock synchronization status

• Added debug line in wrapper.conf

• Share below files from appmanager