Kerberos Ticket Issues: Browser Fixes

TL;DR

Your browser isn’t getting a Kerberos ticket for accessing certain services? This guide walks you through common causes and fixes, from checking your configuration to clearing caches. We’ll cover Windows, macOS, and Linux.

Troubleshooting Steps

1. Check Your Browser Configuration
   • Internet Explorer/Edge (Windows): Kerberos is usually handled automatically if your machine is joined to a domain. However, ensure the Intranet Zone settings include the service’s URL. Go to Internet Options > Security > Local intranet and click ‘Sites’.
   • Firefox: Kerberos authentication should be enabled by default. You can verify this in about:config. Search for network.negotiate-auth.trusted-uris. Make sure the service’s domain is listed (separated by commas if multiple). If it’s not there, add it.
   • Chrome/Chromium-based browsers: Chrome relies on the operating system’s Kerberos settings. Ensure your OS is configured correctly (see steps 2 & 3).
2. Verify Your krb5.conf File (Linux/macOS)

   The krb5.conf file tells Kerberos where to find the Key Distribution Center (KDC). Incorrect settings here will prevent ticket generation.

   • Location: Typically found in /etc/krb5.conf or /usr/local/etc/krb5.conf.
   • Check the [realms] section: Ensure your realm is defined correctly, including the KDC servers.

     [realms]
     EXAMPLE.COM = EXAMPLE.COM
     
     [domain]
     realm = EXAMPLE.COM
     admin_server = kdc.example.com
     servers = kdc.example.com
     

3. Ensure Your Host File is Correct

   Your host file maps domain names to IP addresses. An incorrect entry for your KDC server can cause issues.

   • Location: /etc/hosts (Linux/macOS) or C:WindowsSystem32driversetchosts (Windows).
   • Verify the KDC entry: Make sure it resolves to the correct IP address.

     192.168.1.10  kdc.example.com kdc

4. Clear Browser Cache and Cookies

   Old cached credentials can interfere with Kerberos authentication.

   • In your browser settings, clear the cache and cookies for all time.
5. Restart Your Browser and/or Computer

   Sometimes a simple restart is enough to refresh the Kerberos context.

6. Check DNS Resolution

   Ensure your computer can resolve the hostname of the KDC server correctly. Use nslookup or dig.

   • Example (Linux/macOS):

     dig kdc.example.com

   • Example (Windows):

     nslookup kdc.example.com

7. Obtain a Kerberos Ticket Manually (for testing)

   This helps determine if the issue is with the browser or the underlying Kerberos setup.

   • Linux/macOS:

     kinit [email protected]

   • After running this command, try accessing the service through your browser. If it works, the problem is likely browser-related.
8. Windows Authentication Settings (Windows)

   Ensure Windows authentication isn’t disabled for the Intranet Zone.

   • Go to Internet Options > Security > Local intranet and ensure ‘Automatic logon with current user name and password’ is checked.