search cancel

Kerberos authenitcation is not working even though it is configured.

book

Article ID: 187740

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have configured a KDC server, and verified that the firewall is open to the KDC.  We configured both a device group and the individual device with the KDC per documentation page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/integrating/configure-kerberos-piv-cac-authentication-for-windows-targets.html.  When we attempt to RDP to that device, we get an error "Cannot perform Kerberos authentication; a KDC Server is not configured for the Device that you're attempting to access.".

 



Cause

The device was configured with an IP as device address. As of March 2020, supported PAM releases, 3.3.2 being the latest one, only allow Kerberos authentication if the target device address is a Fully Qualified Domain Name (FQDN). IPs or short names are not accepted in the device address field and will cause the observed error.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Change the device configuration in PAM to use the device FQDN as address.

Attachments