Troubleshooting Authentication in Server Logs

To troubleshoot problems related to Active Directory Authentication, use the Authentication log on the Endpoint Security Management Server or Endpoint Policy Server in $UEPMDIR/logs/Authentication.log.

To see full debugging information in the Authentication.log file on a Gaia server:

1. On the Endpoint Security server, run: export TDERROR_ALL_KERBEROS_SERVER=5.
2. Restart the Endpoint Security server.

Results in Authentication.log

• If the Authentication.log file on the server shows:

  ERROR: Config file contains no principals.

  The database was cleaned or the process to include authentication in the client package was faulty. To fix:

  1. Repeat the process to configure authentication.
  2. Make a new client package.
  3. Restart the Endpoint Security server.
• If the Authentication.log file on the server shows:

  Permission denied in replay cache code

  Restart the Endpoint Security server.

• If the Authentication.log file on the server shows:

  Clock skew too great

  • Make sure that the Endpoint Security Management Server and all clients are synchronized with the Active Directory server.
  • Make sure that in the Windows Date and Time Properties window, the Automatically adjust clock for daylight saving changes option has the same value (selected or cleared) for all computers in the system, including the Active Directory server.
  • The following workaround is not recommended, for security reasons, but is offered if you cannot fix the clock skew error with synchronization changes.

    To ensure that authentication occurs even if the clocks of the client, the Endpoint Security Management Server and the Active Directory server are out of synch, define an acceptable skew. By default, the authentication clock skew is 3600 seconds. You can change the Endpoint Security settings. In $UEPMDIR/engine/conf/global.properties, add this line:
    authentication.clockSkew.secs=<seconds>, where you replace <seconds> with the clock skew in seconds that you want to allow.

• If the Authentication.log file on the server shows:

  Key version number for principal in key table is incorrect

  Update the Key version number in the Active Directory SSO Configuration window. You might have changed the user that is mapped to the ktpass service.

Troubleshooting Authentication in Client Logs

The Authentication.log file for each Endpoint Security client is on the client computer at %DADIR%/logs.

A normal log is:

[KERBEROS_CLIENT(KerberosLogger_Events)] : Credentials acquired for John@ACME-DOM.COM [KERBEROS_MESSAGE(KerberosLogger_Events)] : Message is Empty. [KERBEROS_CLIENT(KerberosLogger_Events)] : Security context is not yet established.continue needed.

If the Authentication.log file on the client shows:

No authority could be contacted for authentication.

The Endpoint Agent cannot find a Domain Controller to supply credentials. To fix this:

1. Make sure that the client is in the domain and has connectivity to your Domain Controller.
2. To authenticate with user credentials, log off and then log in again.

   To authenticate with device credentials, restart the computer.

If the Authentication.log file on the client shows:

The specified target is unknown or unreachable.

Check the service name. Make sure that there are no typing errors and that the format is correct. If there was an error, correct it in the Check Point Endpoint Security Management.