Cannot get Kerberos service ticket KrbException Server not found in Kerberos database 7

Question

I m developing using the GSSAPI  and I have code which works with a vanilla MIT Kerberos 5 server to do some client server work  I m now verifying it s functionality against Active Directory and I ve hit an issue   I have my server authenticated and listening  I can get the client to login  For the record  this is code based off of http   thejavamonkey blogspot com 2008 04 clientserver-hello-world-in-kerberos html  However  I cannot get the client to get the ticket back from AD to get the session between it and the server  I get KrbException  Server not found in Kerberos database  7   and I cannot figure out where the proper place is to add it  I ve tried putting the server name with ip in the hosts file  updating dns  putting in server records  etc  with no luck   If anyone knows where the proper place is to update AD to set a server in the Kerberos Database  that would be great

User · Answer

In my case  it s caused by wrong configuration of the requested server s address  The server address should be an FQDN  fully qualified domain name   FQDN is always required by Kerberos

User · Answer

In my case  My principal was kafka kafka niroshan com NIROSHAN COM I got below lines in the terminal    gt  gt  gt  KrbKdcReq send   bytes read 190  gt  gt  gt  KdcAccessibility  remove kerberos niroshan com  gt  gt  gt  KDCRep  init   encoding tag is 126 req type is 13  gt  gt  gt KRBError           cTime is Thu Oct 05 03 42 15 UTC 1995 812864535000          sTime is Fri May 31 06 43 38 UTC 2019 1559285018000          suSec is 111309          error code is 7          error Message is Server not found in Kerberos database          cname is kafka kafka niroshan com NIROSHAN COM          sname is kafka kafka com NIROSHAN COM          msgType is 30   After hours of checking  I just found the below line has a wrong value in kafka 2 12-2 2 0 server properties  listeners SASL PLAINTEXT   kafka com 9092  Also I got two entries of kafka niroshan com and kafka com for same IP address    I changed it to as listeners SASL PLAINTEXT   kafka niroshan com 9092 Then it worked   According to the below link  the principal should contain the Fully Qualified Domain Name  FQDN  of each host and it should be matched with the principal   https   docs oracle com cd E19253-01 816-4557 planning-25 index html

User · Answer

This looks like a missing SPN issue  The website you had pointed to has   principal  webserver bully EXAMPLE COM     This is the principal for which the ticket would be obtained  Did you change this to a value relative to your AD domain   You could use the command line kerberos tools to test if you have the SPN defined    root gen-cs218 bin   kinit Administrator Administrator SIGNING TEST s Password   root gen-cs218 bin   kgetcred host tcfe102 SIGNING TEST  root gen-cs218 bin   klist Credentials cache  FILE  tmp krb5cc 0         Principal  Administrator SIGNING TEST    Issued                Expires               Principal  lt br gt  Dec 15 11 42 34 2012  Dec 15 21 42 34 2012  krbtgt SIGNING TEST SIGNING TEST Dec 15 11 42 48 2012  Dec 15 21 42 34 2012  host tcfe102 SIGNING TEST   Hostname based SPNs are pre-defined   If you want to use a SPN that is not pre-defined you will have to explicitly define it in AD using the setspn exe tool and associate it with either a computer or an user account  for example   c   gt  setspn exe -A  webserver bully MYDOMAIN  myuser   You can check which account a SPN is associated with by using the command below  This will not show pre-defined SPNs   c   gt  setspn exe -L  webserver bully MYDOMAIN

User · Answer

Consider adding   appdefaults  validate false   to your  etc krb5 conf   This can work around mismatching DNS

User · Answer

sqlcmd works  System Data SqlClient not working - Server not found in Kerberos database  You should add RestrictedKrbHost SPN  https   docs microsoft com en-us openspecs windows protocols ms-kile 445e4499-7e49-4f2a-8d82-aaf2d1ee3c47  5 1 2 SPNs with Serviceclass Equal to  RestrictedKrbHost   Supporting the  RestrictedKrbHost  service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name  This does not provide client-to-service mutual authentication  but rather client-to-server computer authentication  Services of different privilege levels have the same session key and could decrypt each other s data if the underlying service does not ensure that data cannot be accessed by higher services

User · Answer

You would be surprised if I told you that I received this error when the UPN search was not returning any entry  meaning the user is not found  instead of getting a clear indication that the query returned no items  So I recommend revising your query part or using AdExplorer to make sure that the users groups you are looking for are reachable by the query you are using  depending on what you are using as an attribute for search sAMAccount  userPrincipalName  CN  DN   Please note this can also happen when the AD you are connecting to is trying to find that user in another AD instance that your machine could not reach as part of your connections settings to that initial AD instance  params put Context REFERRAL   quot follow quot

User · Answer

I hope this helps    I got this same error message  Server not found in Kerberos database  7   but this occurs after the successful use of the keytab to login   The error message occurs when we attempt to use the credentials to do LDAP searches against AD   This has only started happening since java 1 6 0 34 - it worked with 1 6 0 31 which I think was previous release  The error occurs because the java doesn t trust that the KDC it is communicating with for LDAP is actually part of the Kerberos realm  In our case  I think it is because the LDAP connection is made with the server name found via the round-robin d resolved query  That is  java resolves realm example com  but gets any one of kdc1 example com or kdc2 example  com   etc   They must have tightened the checking betweeen these releases   In our case the problem was worked around by setting the ldap server name directly rather than relying on DNS     But investigations continue

User · Answer

Server not found in Kerberos database  error can happen if you have registered the SPN to multiple users computers   You can check that with     SetSPN -Q ServicePrincipalName   SetSPN -Q HTTP my server local MYDOMAIN

User · Answer

This exception comes from the client  right  Please perform a forward and reverse DNS lookup of the server hostname  Your server has incorrect DNS entries  They are absolutely crucial for Kerberos  The proper place is your DNS server  in your case  domain controller  Figure out the IP address of your DNS server and contact your admin  The other option is a missing SPN  please check that too

[active-directory] Cannot get Kerberos service ticket: KrbException: Server not found in Kerberos database (7)

Examples related to active-directory

Examples related to kerberos