I’m using Mac at work and I found out that Kerberos needs sometimes a “kick” for the SSO to work properly. Sometimes after being offline the renewal of Kerberos ticket fails (especially when remote and connected via ZTA or VPN), even though everything looks alright in the “Ticket Viewer” app.
Here is we where the CLI came in handy, so I said to document the few steps here maybe somebody else needs them. Terminal app is your friend to go for the next lines.
To view the current Kerberos tickets:
klist -v
If there are no tickets, which I expect when I have a problem, there is an empty return
To request a ticket:
kinit -V -p [email protected]
The return will request you to enter your password and announce that your ticket request is placed:
[email protected]'s password: Placing tickets for '[email protected]' in cache 'API:AAAAAAAA-BBBB-CCCC-DDDD-CCCCCCCCCCCC'
Sometimes you may need to use a specific AD Domain Controller server and while the output is the same like above, the command line needs to change (below I use the FQDN, but IP will work as well):
kinit --kdc-hostname=AD-DC-SERVER.EXAMPLE.COM -V -p [email protected]
Now you should see a ticket issued:
klist -v
Credentials cache: API:AAAAAAAA-BBBB-CCCC-DDDD-CCCCCCCCCCCC
Principal: [email protected]
Cache version: 0
Server: krbtgt/[email protected]
Client: [email protected]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 15
Ticket length: 4992
Auth time: Jan 14 06:42:56 2025
End time: Jan 14 16:42:50 2025
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless
I hope you’ll find this useful if in need.