Log In | Users | Register
Welcome to Foswiki... Users, Groups
Go
Edit | Attach | New | Raw | Delete | History | Print | Tools
You are here:  Main » CensorNet » KnowledgeBase » Transparent Kerberos - users are always prompted to login
Synopsis: You have configured Transparent Kerberos successfully but users are still prompted to login and this always fails

This is the first sign that there is a problem with your transparent kerberos configuration - because there should be no prompting at all. Transparent kerberos is a single sign-on authentication method supported by modern web browsers.

If you are getting prompted repeatedly, please run through the following checklist:

  1. Ensure that the time on the CensorNet server is within 5 minutes of the time on the Active Directory server.
  2. Ensure that the time zone on the CensorNet server matches the time zone on the Active Directory server.
  3. Ensure that the web browser is not Internet Explorer 6 or below. They do not support transparent kerberos - please upgrade or change web browsers.
  4. Ensure that the web browser proxy settings are referencing CensorNet with the fully qualified hostname of CensorNet, rather than the IP address. To get the FQDN type hostname -f at the CensorNet prompt (as root).
  5. Ensure that the CensorNet hostname (type: hostname) matches the machine account on Active Directory exactly. e.g. if hostname is censornet then the machine name cannot be Censornet - it must be 'censornet' as well. The cause of this mismatch is likely to be DNS.
  6. Ensure that the user has logged off and logged on at least once since you enabled Transparent Kerberos. This is required so that the user obtains a kerberos ticket from the domain controller.
  7. Ensure that the CensorNet hostname is lower case. Do not use a mixed case hostname e.g. CensorNet. To change the hostname type: hostname as root and then edit /etc/hostname and /etc/hosts and add/update the new hostname.
  8. Ensure that there is no other user/machine in the AD with the same name as the CensorNet hostname. If there is, delete them/change them and then re-configure transparent kerberos.
  9. Ensure that the CensorNet hostname is not the same as the Windows domain/Active Directory domain name.
  10. If you previously used NTLM, make sure you delete the CensorNet machine/computer account and then reconfigure Transparent Kerberos, otherwise it may still be using the old NTLM trust relationship.

Once you have checked the above if the problem persists please contact Technical Support.

-- TimLloyd - 09 Jun 2010

Changed by TimLloyd on 22 Jun 2010 - 09:47 - r3

Main

Tools
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback
Syndicate this site RSSATOM