Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2526: Cannot create consistently forwardable Kerberos tickets using Centrify OpenSSH

Authentication Service ,  

12 April,16 at 11:08 AM

Applies to: All versions of Centrify DirectControl on *specific platforms
Consider the following scenario:
a) 2 Centrify servers are trusted for delegation as seen in Active Directory Users and Computers. (See: KB-2333: How to configure Centrify Putty to access a machine in a trusted domain with Kerberos Authentication)
b) Both servers are running Centrify's OpenSSH. The sshd_config was not changed.
c) On the client side, Centrify Putty is used with Kerberos settings in place.
d) A new TGT is received from the Windows client machine (klist shows it is current)
e) Forward and reverse lookup of both Centrify servers are fine from Windows.
f) In /etc/centrifydc/centrifydc.conf, is set to true
g) In /etc/centrifydc/centrifydc.conf, krb5.unique.cache.files is set to false
After the first hop with SSO, the command /usr/share/centrifydc/kerberos/bin/klist -f reports no credentials cache found. 
As a result, the second hop fails. 
Is there any reason for this?
This is a known issue in our code and not SSHD itself. There is no workaround. 
This will be fixed in Centrify DirectControl 5.1.
Excludes Centos 6.3, Debian 6, Fedora 17, Oracle Lunux EL 6u2