Jump to content
Welcome to our new Citrix community!

Citrix ADC Kerberos unable to reach any KDC in realm


Julian Jakob

Recommended Posts

Hi,

 

I remember some bugs and problems in a few older adc builds in combination with kerberos. I'm now trying to setup kerberos for exchange from my ADC. I tried with different 12.1 and latest 13.0 build. I'm getting everytime the same errors in nskrb.debug. Checked all the known things like correct DNS via UDP and TCP / Kerberos srv entries in active directry like mentioned in https://discussions.citrix.com/topic/379524-netscaler-kcd-sso-failure/ and the older published article like https://support.citrix.com/article/CTX202303

 

-> All without luck.

 

Very thankful vor any ideas which I can try. I tried different exchange servers with different delegation / spn, I think I can focus on the problem on my adc-site.

 

Wed Jan 20 22:15:42 2021
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Wed Jan 20 22:15:42 2021
 krbhst.c[447]: srv_get_hosts searching DNS for realm mydomain.com tcp.kerberos -> 0
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 krbhst.c[679]: kdc_get_next attempting http srv lookup for kerberos service
Wed Jan 20 22:15:42 2021
 krbhst.c[91]: srv_find_realm DNS lookup failed domain: _kerberos._http.mydomain.com.
Wed Jan 20 22:15:42 2021
 krbhst.c[447]: srv_get_hosts searching DNS for realm mydomain.com http.kerberos -> -1765328228
Wed Jan 20 22:15:42 2021
 krbhst.c[500]: fallback_get_hosts fallback lookup 0 for realm mydomain.com (serice kerberos)
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm mydomain.com = -1765328228
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[704]: krb5_sendto_context unable to reach any KDC in realm mydomain.com
Wed Jan 20 22:15:42 2021
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Wed Jan 20 22:15:42 2021
 krbhst.c[447]: srv_get_hosts searching DNS for realm mydomain.com tcp.kerberos -> 0
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 krbhst.c[679]: kdc_get_next attempting http srv lookup for kerberos service
Wed Jan 20 22:15:42 2021
 krbhst.c[91]: srv_find_realm DNS lookup failed domain: _kerberos._http.mydomain.com.
Wed Jan 20 22:15:42 2021
 krbhst.c[447]: srv_get_hosts searching DNS for realm mydomain.com http.kerberos -> -1765328228
Wed Jan 20 22:15:42 2021
 krbhst.c[500]: fallback_get_hosts fallback lookup 0 for realm mydomain.com (serice kerberos)
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.mydomain.com in realm mydomain.com
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'mydomain.com' using protocol 1
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm mydomain.com = -1765328228
Wed Jan 20 22:15:42 2021
 send_to_kdc.c[704]: krb5_sendto_context unable to reach any KDC in realm mydomain.com

 

Best Regards

Julian

 

 

Link to comment
Share on other sites

I only get "unable to reach any KDC in realm kekse-lab.de" in my LAB if I block TCP/UDP Port 88 on my Domain Controller:

Maybe some kind of firewall issue on your side as well?

 

root@ns121# /netscaler/nskrb kinit CTXAdmin@kekse-lab.de
CTXAdmin@kekse-lab.de's Password: 
kinit: krb5_get_init_creds: unable to reach any KDC in realm kekse-lab.de

  • Like 1
Link to comment
Share on other sites

On 1/22/2021 at 3:09 PM, Martin Meier said:

I only get "unable to reach any KDC in realm kekse-lab.de" in my LAB if I block TCP/UDP Port 88 on my Domain Controller:

Maybe some kind of firewall issue on your side as well?

 

root@ns121# /netscaler/nskrb kinit CTXAdmin@kekse-lab.de
CTXAdmin@kekse-lab.de's Password: 
kinit: krb5_get_init_creds: unable to reach any KDC in realm kekse-lab.de

 

Thank you very much for this idea! The CheckPoint Firewall at my customer was detecting TCP 88 requests from my ADC to my Domain Controllers as "DOS" - I don't know why the Intrusion Prevention System is doing such a sh**

 

After setting an explicit Kerberos IPS exclusion, all is working fine. 

 

Best Regards

Julian

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...