Administrator

Kerberos Error Codes

Problem

The Kerberos Distribution Center (KDC) returns error codes without definitions.

Workaround

See all Kerberos error code definitions in the Kerberos Network Authentication ServiceInformation published on non-SAP site document, beginning on page 109. The error code is field [6].

Example

The following KRB-ERR message is in the server log:
#ERROR#com.sap.security.krb5.log.KRB5Logger##anonymous#http-bio-8080-exec-10###Received KRB-ERR message:
Application 30 {
[SEQUENCE {
[0] [INTEGER 5]
[1] [INTEGER 30]
[4] [GeneralizedTime Mon Nov 17 16:53:53 CET 2014]
[5] [INTEGER 338507]
[6] [INTEGER 13]
[9] [GeneralString TESTABC.TST]
[10] [SEQUENCE {
[0] [INTEGER 2]
[1] [SEQUENCE {
GeneralString HTTP
GeneralString HTTP/kerberos.domain
}]
}]
[12] [OCTET STRING 3015a103020103a20e040c720200c00000000003000000]
}]
} |

Field [6] is the error code, and has a value of 13. In the Kerberos Network Authentication Service document, error code 13 maps to KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option.

Workaround: Verify that the service assigned to SAP Mobile Platform is configured so that it can delegate to the target service: kerberos.domain.

Example

SAP Mobile Platform Server fails to retrieve a Kerberos access ticket, and logs an error message similar to the following:
#ERROR#com.sap.security.krb5.log.KRB5Logger##anonymous#http-bio-8080-exec-8###Received KRB-ERR message:
Application 30  {
  [SEQUENCE  {
    [0]  [INTEGER  5]
    [1]  [INTEGER  30]
    [4]  [GeneralizedTime  Thu Jul 03 16:53:58 CST 2014]
    [5]  [INTEGER  197447]
    [6]  [INTEGER  37]
    [9]  [GeneralString  DEV106.DOMAIN]
    [10]  [SEQUENCE  {
      [0]  [INTEGER  2]
      [1]  [SEQUENCE  {
        GeneralString  krbtgt
        GeneralString  DEV106.DOMAIN
      }]
    }]
  }]
} |

Field [6] is the error code, and has a value of 37. In the Kerberos Network Authentication Service document, error code 37 maps to KRB_AP_ERR_SKEW 37 Clock skew too great.

Workaround: On the machine where SAP Mobile Platform Server is running, synchronize the clock with the Active Directory server clock by running this command as an administrator:
C:\WINDOWS\system32>w32tm /resync