Client not found in Kerberos database with Time and Attendance

Owned by Knowledge Assistant
Last updated: Apr 30, 2024 by Moriah Yorkey
2 min read
Description of Issue

Trying to login to Time and Attendance with Kerberos authentication returns Client not found in Kerberos Database

Context

  • Kerberos

  • Time and Attendance

  • ExecuTime

  • ET

Cause

Active Directory account not able to successfully communicate with ExecuTime

Resolution

Verify Active Directory user account

  • Check if username in AD and ExecuTime match exactly

  • Check if AD account is locked

  • Check if AD account password is about to expire or has expired

    • Both of these will trigger a bad login. Reset the password.

Additional Information

Kerberos (Unix) is not the same as Microsoft's LDAP. 

Kerberos uses port 88 while LDAP uses ports 339 and 636.

Application Logic for authentication:
    1. User enters in a User/Pw pair of values
    2. The app looks up the provided user name in the DB
        a. Doesn’t find a match – Fail
        b. Finds a match
            i. It then examines the flag for Kerberos authentication
                1) Not set – compares provided Pw with what is in the DB – Go or No go depending on the result
                2) Set to Kerberos Authentication
                    a) Pre-pends the REALM to the user, and then passes the pair to the DC for validation. Either Go or no Go. Technically the call will receive back a ‘0’ for ‘good’, or some goofy message (like ‘Client not found in Kerberos database (6)’ ) where the DC gives some incredibly terse value as to why this isn’t valid. Note: the User/Pw pair that is passed is the one entered. This process doesn’t use any ‘stored’ values here (other than referencing the username from the DB)

Â