Users receive authentication errors and LSA debug logs on the ProxySG display “Ticket not yet valid” errors
Article ID: 169105
Updated On:
Products
Issue/Introduction
With authentication enabled on the ProxySG appliance and Kerberos Constraint Delegation (KCD) in use, users cannot access protected resources due to authentication errors such as:
The ProxySG encountered an internal error while preparing to send your username/password upstream: "Kerberos cache encountered an unexpected error."
This error can only occur when the ProxySG "server authentication" feature is used.
For assistance, contact your network support team.
You run an LSA Debug Trace on the ProxySG (/lsa/debug) and receive an error similar to the following:
0623.046 KTC::Get_ticket: init context failure -1765328351 Ticket not yet valid
In the ProxySG event logs, you may see events similar to these:
2016-06-29 10:42:44-00:00UTC "NTP: Receive timeout, retrying NTP Server: X.X.X.X" 0 90000:96 ntp.cpp:682
2016-06-29 10:42:45-00:00UTC "NTP: Receive timeout, exceeded maximum retries to NTP Server: Z.Z.Z.Z" 0 90000:64 ntp.cpp:675
The ProxySG appliance attempts to contact the Domain Controller (DC), which is responsible for issuing Kerberos tickets, on behalf of the client to obtain a Kerberos ticket or token. This is usually used in cases where the client cannot connect to the DC itself.
For information on KCD and how to configure it, refer to article 000008710.
Cause
Resolution
- Set the NTP server to the same ones that the DC uses, and then click Acquire UTC Time.
- Set the Time Zone to match that of the DC by clicking Set Time Zone.
The DC’s time is adjusted on its Windows environment, similar to changing the time on any Windows machine.
Feedback
