With authentication enabled on the ProxySG appliance and Kerberos Constraint Delegation (KCD) in use, users cannot access protected resources due to authentication errors such as:
You run an LSA Debug Trace on the ProxySG (/lsa/debug) and receive an error similar to the following:
0623.046 KTC::Get_ticket: init context failure -1765328351 Ticket not yet valid
In the ProxySG event logs, you may see events similar to these:
2016-06-29 10:42:44-00:00UTC "NTP: Receive timeout, retrying NTP Server: X.X.X.X" 0 90000:96 ntp.cpp:682
2016-06-29 10:42:45-00:00UTC "NTP: Receive timeout, exceeded maximum retries to NTP Server: Z.Z.Z.Z" 0 90000:64 ntp.cpp:675
The ProxySG appliance attempts to contact the Domain Controller (DC), which is responsible for issuing Kerberos tickets, on behalf of the client to obtain a Kerberos ticket or token. This is usually used in cases where the client cannot connect to the DC itself.
For information on KCD and how to configure it, refer to article 000008710.