Troubleshooting Kerberos

When beginning to troubleshoot Kerberos issues, the most important is the TGT (krbtgt). If you do not have this ticket, you will not receive tickets for any other service.

If you are not receiving any tickets, verify that the date and time of the ticket is close to the date and time on your computer. Time is very important with Kerberos: If the client and the KDC are out of sync by more than 300 seconds (in default installations of both Mac OS X Server and Active Directory), the client will fail to achieve authentication with the KDC. It's a security measure to prevent any security breaches by people replaying packets at a later time. The date, time, and time zone information must be correct on the KDC server and clients, and they all should use the same network time service to keep their clocks in sync. TGTs also have a finite lifespan set by the KDC server administrator. All computers leveraging Kerberosfrom the KDC to service servers to clientscan function properly in a Kerberos environment across multiple time zones.

If Login Window did not request the TGT, or if you destroyed all the tickets in the cache, you can use kinit to receive a new TGT. This will help isolate authentication problems to either Login Window or the KDC.