"Server not found in Kerberos database" when using native kerberos junction

Question & Answer

Question

Using a native kerberos junction with users in multi AD domains I got "DPWAD1213E An error occurred when creating the Kerberos token: Server not found in Kerberos database"

Cause

Answer

There is a not well defined requirement from Microsoft that in a multi AD environment, in order to get a proper identification of which KDC should be contacted to ask for a ticket on behalf of a user, it is necessary that the SPN of the server that is delegated to ask for a ticket is in the format of

HTTP/webprox.mydomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM

where:

– The realm (such as ‘MYDOMAIN.MYCOMPANY.COM’) must be an upper case version of the Windows domain name in which ISAM WebSEAL and the Kerberos targets reside.

– The SPN (such as ‘HTTP/webprox.mydomain.mycompany.com’) must be unique across the domains/forests.

- The domain portion part of the FQDN of the SPN matches the real DNS name of the AD domain where ISAM WebSEAL and the Kerberos targets reside, e.g. an SPN like HTTP/webprox.mydomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM is OK while an SPN like HTTP/webprox.anotherdomain.mycompany.com@MYDOMAIN.MYCOMPANY.COM is not.

[{"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Web","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"8.0.1;9.0.0;9.0.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

"Server not found in Kerberos database" when using native kerberos junction

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?