Community
Kerberos Authentication Error
Links used in this discussion
Links used in this discussion
sheckandar,
User (Posts: 3)
Dec 18, 2024 4:01:28 pm EST
Support level: Free or trial
We have NTLM disabled across the entire domain. I'm trying to use kerberos Windows Authentication, but it fails.
Host error:
All Remote Utilities software is of the latest version.
Host error:
Code: #35# Event: Password is incorrect or error occurs. IP: loopbackHosts are connected to a self hosted server outside of the domain. Viewer is on another PC and connecting to hosts over Internet via the self hosted server. The PC with Viewer is domain joined to a different domain.
All Remote Utilities software is of the latest version.
Pauline,
Support (Posts: 2886)
Dec 18, 2024 5:58:42 pm EST
Hello,
Thank you for your message.
It seems that the issue might be caused by a mismatch in the Kerberos authentication process due to the following factors:
1. Different Domains: since the Viewer PC and the hosts are in separate domains, Kerberos requires proper cross-domain trust to authenticate. If there's no trust relationship between the two domains, authentication will fail. Please try verifying if the domains have a two-way trust configured. If not, set up the required trust relationship or ensure both systems are in the same domain for Kerberos to work.
2. Time Synchronization: Kerberos authentication is sensitive to time discrepancies. If the clocks between the Viewer PC, Host PC, the self-hosted RU Server, and the domain controllers are not in sync, it will fail. Please double-check to ensure all machines are synchronized to the same NTP server.
3. Password Incorrect Error: The error suggests authentication attempts with invalid credentials. Ensure:
- The correct username/password is used.
- The account has not been locked out due to failed attempts.
- The account being used has permission to authenticate against the target system.
4. Last but not least, fallback to NTLM: since NTLM is disabled, any fallback attempts by Remote Utilities will fail if Kerberos isn’t configured correctly. Ensure Kerberos is the only supported and functional authentication protocol.
Finally, double-check the Connection Properties -> Security to ensure Kerberos authentication is properly enabled and configured.
Hope this helps!
Thank you for your message.
It seems that the issue might be caused by a mismatch in the Kerberos authentication process due to the following factors:
1. Different Domains: since the Viewer PC and the hosts are in separate domains, Kerberos requires proper cross-domain trust to authenticate. If there's no trust relationship between the two domains, authentication will fail. Please try verifying if the domains have a two-way trust configured. If not, set up the required trust relationship or ensure both systems are in the same domain for Kerberos to work.
2. Time Synchronization: Kerberos authentication is sensitive to time discrepancies. If the clocks between the Viewer PC, Host PC, the self-hosted RU Server, and the domain controllers are not in sync, it will fail. Please double-check to ensure all machines are synchronized to the same NTP server.
3. Password Incorrect Error: The error suggests authentication attempts with invalid credentials. Ensure:
- The correct username/password is used.
- The account has not been locked out due to failed attempts.
- The account being used has permission to authenticate against the target system.
4. Last but not least, fallback to NTLM: since NTLM is disabled, any fallback attempts by Remote Utilities will fail if Kerberos isn’t configured correctly. Ensure Kerberos is the only supported and functional authentication protocol.
Finally, double-check the Connection Properties -> Security to ensure Kerberos authentication is properly enabled and configured.
Hope this helps!
sheckandar,
User (Posts: 3)
Dec 18, 2024 8:54:41 pm EST
Support level: Free or trial
1. Host domain and Viewer domain are unrelated and cannot have trust set up.
2. Time is correct on all computers and synced via NTP.
3. I am not being asked to enter any credentials before authentication failure is reported.
4. I think kerberos is set up correctly as I can authenticate for RDP and it works.
I set up SPN for my username as
I would like to know more about how kerberos authentication is handled.
I was under the impression that the Host would initiate kerberos authentication as it is the only endpoint inside the AD domain. All other software is outside the domain and cannot communicate with the kerberos server. Furthermore, since I'm not being asked to enter any credentials, I'm assuming that the Viewer is using logged on user's security context to request a kerberos ticket, which would fail since the domains are different.
2. Time is correct on all computers and synced via NTP.
3. I am not being asked to enter any credentials before authentication failure is reported.
4. I think kerberos is set up correctly as I can authenticate for RDP and it works.
I set up SPN for my username as
host/<username>.<fqdn>, however, the issue remained. Also, the SPN entry under Connection Properties -> Security disappears after each authentication attempt.
I would like to know more about how kerberos authentication is handled.
I was under the impression that the Host would initiate kerberos authentication as it is the only endpoint inside the AD domain. All other software is outside the domain and cannot communicate with the kerberos server. Furthermore, since I'm not being asked to enter any credentials, I'm assuming that the Viewer is using logged on user's security context to request a kerberos ticket, which would fail since the domains are different.
Conrad Sallian,
Support (Posts: 3074)
Dec 19, 2024 12:06:37 pm EST
Hello Sheckandar,
Do you use RU Server in your setup?
Do you use RU Server in your setup?
sheckandar,
User (Posts: 3)
Dec 19, 2024 6:25:43 pm EST
Support level: Free or trial
Yes, I do.Conrad Sallian wrote:
Hello Sheckandar,
Do you use RU Server in your setup?
Conrad Sallian,
Support (Posts: 3074)
Dec 20, 2024 12:02:49 pm EST
Then this might be a currently confirmed bug. It will be fixed in the next server update.
Would you mind if we send you a test server .exe for you to verify that the problem is fixed? We can prepare it within the next few days. Feel free to send us a message to support@remoteutilities.com so we can send you a download link later.
Sorry for the inconvenience.
Would you mind if we send you a test server .exe for you to verify that the problem is fixed? We can prepare it within the next few days. Feel free to send us a message to support@remoteutilities.com so we can send you a download link later.
Sorry for the inconvenience.
* Website time zone: America/New_York (UTC -5)