Support Center > Search Results > SecureKnowledge Details
Single Sign On with Kerberos Constrained Delegation does not work for Mobile Access users from the same domain with different UPN Suffixes Technical Level
Symptoms
  • $CVPNDIR/log/httpd.log file on the Mobile Access Gateway shows:

    [KERBEROS] [CVPN_ERROR] comErrHook: Cvpn::KerberosComponent::initCredentials : Cannot find KDC for requested realm : when doing krb5_get_init_creds_password()
  • Single Sign On for Kerberos Constrained Delegation does not work for Mobile Access users.

Cause

Kerberos Constrained Delegation does not work for Mobile Access users from the same domain with different UPN Suffixes:

AD domain, with which Mobile Access Gateway should perform Kerberos Constrained Delegation, is taken from the UPN suffix of the user, who logged in to Mobile Access Gateway.
However, UPN suffix is not necessarily the user's domain (for example, different UPNs are needed for different applications).
In such cases, the Kerberos Delegator would not be found.


Solution
Note: To view this solution you need to Sign In .