Checking Kerberos Key Distribution Center (KDC) connectivity
To check connectivity and reachability to a KDC host use the following CLI command:
debug sentry kerberos kdc
This allows you to check that the port on the KDC host is reachable and ensure that the port is not blocked by firewall.
Executing the debug sentry kerberos kdc CLI command causes a TCP connection to the specified KDC host. If a port is not specified, the default KDC port 88 is used. The TCP connection is dropped immediately after establishing a connection without either sending or receiving any data.
Checking connectivity to a KDC host
To check connectivity to a KDC host, enter the following CLI command in configuration mode:
debug sentry kerberos kdc <hostname> [port]
• | hostname |
The hostname for the KDC server.
• | port |
The port for the KDC server. If port is not specified, the default port 88 is used.
Successful example
sentry/config# debug sentry kerberos kdc win2k8.acmetwo.acme.com Connecting to KDC win2k8.acmetwo.acme.com, port 88 Connection successful. Address: win2k8.acmetwo.acme.com/192.0.2.0:88 sentry/config# |
Failure example
sentry/config# debug sentry kerberos kdc win2k8.acmeone.acme.com Connecting to KDC win2k8.acmeone.acme.com, port 88 Connection failed. java.net.UnknownHostException: win2k8.acmeone.acme.com at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at java.net.Socket.connect(Socket.java:538) at java.net.Socket.<init>(Socket.java:434) at java.net.Socket.<init>(Socket.java:211) at com.mobileiron.alcor.controller.SentryAdminController.debugKerberosKDC(SentryAdminController.java:1085) |