Applies to: All versions of Centrify DirectControl on Mac OS X
Single-sign on (SSO) is failing when users try to connect to a network share on a certain file server.
Other file servers in the environment are able to mount immediately without prompting for credentials again (which means Kerberos is working correctly), but connecting to this specific host still prompts the user for authentication.
The connection is being made using the FQDN path (to ensure Kerberos compatibility) and there are no other connectivity issues on the machine.
What else can be checked to make SSO work for this file server?
SSO may fail to work properly if the Mac tries to authenticate via Kerberos on the wrong SPN (servicePrincipalName).
(This can happen in some environments such as those which use semi-disjointed namespaces.)
To verify this:
- Capture a network trace of a failed automatic-authentication on the network share.
- Open the packet capture in Wireshark and filter the output under the term:
- If the entries contain the following:
- error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
- Server Name (Service and Host): cifs/attempted-server.domain.com
- Then this could mean the file server's servicePrincipalName is not correct in Active Directory.
- (i.e. The SPN attribute does not contain the cifs entry for "attempted-server.domain.com")
To fix this:
- Open ADUC and make sure View has "Advanced Features" enabled.
- Navigate to the computer object for the file server where SSO is not working.
- Right-click > Properties > Attribute Editor tab
- Scroll down to the "servicePrincipalName" attribute and click Edit
- Make sure the following entries are in the list (If they're missing, go ahead and add them in):
- Once the entries have been added, test the mount again. It should now mount without prompting the user for credentials.
(Note: The server and client may require a restart for the changes to take effect)