Receive Timed Out with Kerberos Authentication
All users are receiving Receive Timed Out when trying to login to Time and Attendance with Kerberos Authentication
Kerberos
Time and Attendance
ExecuTime
ET
 Kerberos v5 information is incorrect within the application
Verify that the information within ExecuTime for the Key Distribution Center and Realm is accurate.
Login to the application, and navigate to System Admin > UI Environment Flags > Login Configuration
Under Kerberos v5, verify the Key Distribution Center IP Address and Realm is correct.
If the Key Distribution Center field has the incorrect IP Address, update the field with the correct information.
On the ExecuTime application server, check if you can ping the IP or name that is entered in ExecuTime for the Key Distribution Center
Note: If the application server can't see the DC, all users who are Kerberos authenticated will be affected
If the Realm field is incorrect, update the field with the correct information.
The Realm can be determined from any workstation by echoing the value of %USERDNSDOMAIN% from the DOS command line prompt on your domain.
Open a Windows Command Prompt by selecting Start and typing Command Prompt
The Command Prompt will open, then type echo %USERDNSDOMAIN% and press Enter
The value returned is the Realm that should be entered into the Realm field in the application
Changes won't take effect until the ExecuTime service is restarted - How to restart the ExecuTime Service - OnPrem
Check if the time on the ExecuTime application server, and the client PC is in sync with the time on the Domain Controller.
The DC being referenced isn't syncing properly. DC changes can take a while to propagate throughout one's infrastructure can cause login issues if changes have yet to be synced.
Kerberos (Unix) is not the same as Microsoft's LDAP.Â
Kerberos uses port 88 while LDAP uses ports 339 and 636.
Application Logic for authentication:
  1. User enters in a User/Pw pair of values
  2. The app looks up the provided user name in the DB
    a. Doesn’t find a match – Fail
    b. Finds a match
      i. It then examines the flag for Kerberos authentication
        1) Not set – compares provided Pw with what is in the DB – Go or No go depending on the result
        2) Set to Kerberos Authentication
          a) Pre-pends the REALM to the user, and then passes the pair to the DC for validation. Either Go or no Go. Technically the call will receive back a ‘0’ for ‘good’, or some goofy message (like ‘Client not found in Kerberos database (6)’ ) where the DC gives some incredibly terse value as to why this isn’t valid. Note: the User/Pw pair that is passed is the one entered. This process doesn’t use any ‘stored’ values here (other than referencing the username from the DB)
Â