Receive Timed Out with Kerberos Authentication

Owned by Knowledge Assistant
Last updated: Apr 30, 2024 by Moriah Yorkey
2 min read
Description of Issue

All users are receiving Receive Timed Out when trying to login to Time and Attendance with Kerberos Authentication

Context

  • Kerberos

  • Time and Attendance

  • ExecuTime

  • ET

Cause

 Kerberos v5 information is incorrect within the application

Resolution

Verify that the information within ExecuTime for the Key Distribution Center and Realm is accurate.

  1. Login to the application, and navigate to System Admin > UI Environment Flags > Login Configuration

  2. Under Kerberos v5, verify the Key Distribution Center IP Address and Realm is correct.

    1. If the Key Distribution Center field has the incorrect IP Address, update the field with the correct information.

      1. On the ExecuTime application server, check if you can ping the IP or name that is entered in ExecuTime for the Key Distribution Center

        1. Note: If the application server can't see the DC, all users who are Kerberos authenticated will be affected

    2. If the Realm field is incorrect, update the field with the correct information.

      1. The Realm can be determined from any workstation by echoing the value of %USERDNSDOMAIN% from the DOS command line prompt on your domain.

        1. Open a Windows Command Prompt by selecting Start and typing Command Prompt

        2. The Command Prompt will open, then type echo %USERDNSDOMAIN% and press Enter

        3. The value returned is the Realm that should be entered into the Realm field in the application

    3. Changes won't take effect until the ExecuTime service is restarted - How to restart the ExecuTime Service - OnPrem

Check if the time on the ExecuTime application server, and the client PC is in sync with the time on the Domain Controller.

The DC being referenced isn't syncing properly. DC changes can take a while to propagate throughout one's infrastructure can cause login issues if changes have yet to be synced.

Additional Information

Kerberos (Unix) is not the same as Microsoft's LDAP. 

Kerberos uses port 88 while LDAP uses ports 339 and 636.

Application Logic for authentication:
    1. User enters in a User/Pw pair of values
    2. The app looks up the provided user name in the DB
        a. Doesn’t find a match – Fail
        b. Finds a match
            i. It then examines the flag for Kerberos authentication
                1) Not set – compares provided Pw with what is in the DB – Go or No go depending on the result
                2) Set to Kerberos Authentication
                    a) Pre-pends the REALM to the user, and then passes the pair to the DC for validation. Either Go or no Go. Technically the call will receive back a ‘0’ for ‘good’, or some goofy message (like ‘Client not found in Kerberos database (6)’ ) where the DC gives some incredibly terse value as to why this isn’t valid. Note: the User/Pw pair that is passed is the one entered. This process doesn’t use any ‘stored’ values here (other than referencing the username from the DB)

Â