Checking Kerberos Key Distribution Center (KDC) connectivity

To check connectivity and reachability to a KDC host use the following CLI command:

debug sentry kerberos kdc

This allows you to check that the port on the KDC host is reachable and ensure that the port is not blocked by firewall.

Executing the debug sentry kerberos kdc CLI command causes a TCP connection to the specified KDC host. If a port is not specified, the default KDC port 88 is used. The TCP connection is dropped immediately after establishing a connection without either sending or receiving any data.

Checking connectivity to a KDC host

To check connectivity to a KDC host, enter the following CLI command in configuration mode:

debug sentry kerberos kdc <hostname> [port]

•hostname

The hostname for the KDC server.

•port

The port for the KDC server. If port is not specified, the default port 88 is used.

Successful example

sentry/config# debug sentry kerberos kdc win2k8.acmetwo.acme.com Connecting to KDC win2k8.acmetwo.acme.com, port 88 Connection successful. Address: win2k8.acmetwo.acme.com/192.0.2.0:88 sentry/config#

Failure example

sentry/config# debug sentry kerberos kdc win2k8.acmeone.acme.com Connecting to KDC win2k8.acmeone.acme.com, port 88 Connection failed. java.net.UnknownHostException: win2k8.acmeone.acme.com at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at java.net.Socket.connect(Socket.java:538) at java.net.Socket.<init>(Socket.java:434) at java.net.Socket.<init>(Socket.java:211) at com.ivanti.alcor.controller.SentryAdminController.debugKerberosKDC(SentryAdminController.java:1085)