Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1698: Troubleshooting Single Sign On (SSO) issues

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: All released versions of Centrify Direct Control

Problem:
Getting the following error message when trying to use the Centrify version of PuTTY with Kerberos turned on connecting to a machine running the Cerntrify version of OpenSSH.


"target service is not found"

However when Kerberos authentication is disabled in PuTTY, it can login to this host just fine.

Cause:
In DNS the fully qualified name of the SSHD host is sshd.xyz.com. However the local host name of the SSHD host is mysshd. Hence, with a regular adjoin, it would create a SPN with mysshd.xyz.com in the AD domain xyz.com. When Putty requests a service ticket for SSH login using the DNS name sshd.xyz.com, the AD/KDC would not be able to locate the SPN associated with sshd.xyz.com, hence the above error message would be returned.

If Kerberos was disabled at the Putty, a regular ssh login would be carried out. Hence the request for Kerberos service ticket for SSO would not have been initiated, and the above issue would not have happened.

Resolution:
Perform this at the machine as root:

adleave -r

This should leave/disconnect from the domain and remove the previous computer account created initially

Then do:

adjoin -a <host.dns.name> <domain name>
e.g. adjoin -a sshd.xyz.com xyz.com

Note1: This would allow the AD/KDC to create the SPN associated with sshd.xyz.com
Note2: If the AD domain name(e.g. ca.xyz.com or xyz.net) and DNS domain name(e.g. xyz.com) are disjoint, the same issue would also happen.
Note3: For more information about troubleshooting SSO issues, please see the attached document.
Note 4: SSO for ad user will fail when all domain controllers in a domain are offline.

See also:
KB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?
KB-3285: How to Collect Debug Logs from an OpenSSH Server
KB-5452: How to enable debug for PuTTy / SSH clients?

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.