Verifying Kerberos configuration

To verify the Keberos constrained delegation (KCD) setup, use the following CLI command:

debug sentry kerberos request-ticket

The CLI command issues a Kerberos ticket for a particular user. These tickets are issued for testing and debugging only and are not cached or reused.

Table 1. Verifying Kerberos configuration

Feature	Command
Request a kerberos ticket on behalf of a user with a host:port combination	debug sentry kerberos request-ticket host-port <upn> <realm> <hostname> [port] • upn: user's UPN • realm: user's REALM • hostname: backend server's hostname • port:: backend server’s port The default value for port is 443.
Request a kerberos ticket on behalf of a user with an SPN	debug sentry kerberos request-ticket spn <upn> <realm> <spn> • upn: user's UPN • realm: user's REALM • spn: service principal name