Question & Answer
Question
Using a native kerberos junction with users in multi AD domains I got "DPWAD1213E An error occurred when creating the Kerberos token: Server not found in Kerberos database"
Cause
Answer
There is a not well defined requirement from Microsoft that in a multi AD environment, in order to get a proper identification of which KDC should be contacted to ask for a ticket on behalf of a user, it is necessary that the SPN of the server that is delegated to ask for a ticket is in the format of
HTTP/webprox.mydomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM
where:
– The realm (such as ‘MYDOMAIN.MYCOMPANY.COM’) must be an upper case version of the Windows domain name in which ISAM WebSEAL and the Kerberos targets reside.
– The SPN (such as ‘HTTP/webprox.mydomain.mycompany.com’) must be unique across the domains/forests.
- The domain portion part of the FQDN of the SPN matches the real DNS name of the AD domain where ISAM WebSEAL and the Kerberos targets reside, e.g. an SPN like HTTP/webprox.mydomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM is OK while an SPN like HTTP/webprox.anotherdomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM is not.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22006823