Active Directory Authentication
R81 Harmony Endpoint Server Administration Guide|183
l
Make sure that in the Windows Date and Time Properties window, the
Automatically adjust clock for daylight saving changes option has the same
value (selected or cleared) for all computers in the system, including the Active
Directory server.
l
The following workaround is not recommended, for security reasons, but is offered
if you cannot fix the clock skew error with synchronization changes.
To ensure that authentication occurs even if the clocks of the client, the Endpoint
Security Management Server and the Active Directory server are out of synch,
define an acceptable skew. By default, the authentication clock skew is 3600
seconds. You can change the Endpoint Security settings. In the
$UEPMDIR/engine/conf/global.properties file, add this line:
authentication.clockSkew.secs=<seconds>, where you replace
<seconds> with the clock skew in seconds that you want to allow.
n
If the Authentication.log file on the server shows:
Key version number for principal in key table is incorrect
Update the Key version number in the Active Directory SSO Configuration window.
You might have changed the user that is mapped to the ktpass service (see
"Step 1 of
3: Configuring the Active Directory Server for Authentication" on page177
.
To turn off full debugging information on the Endpoint Security server:
1. On the Endpoint Security server, unset the debug variable:
unset TDERROR_ALL_KERBEROS_SERVER
2. Make sure that the output is empty:
echo $TDERROR_ALL_KERBEROS_SERVER
3. Restart the Endpoint Security server. Run:
uepm_stop ; uepm_start
Troubleshooting Authentication in Client Logs
The Authentication.log file for each Endpoint Security client is on the client computer at
%DADIR%/logs.
A normal log is:
To Next Page
Loading...
