Linux Virtual Desktop are getting unregistered with Error : "An error occurred in trying to obtain a TGT: Receive timed out"
Article ID: CTX233658
Updated On:
Description
Linux Virtual Desktop Agent Machines gets unregistered with the following error in /var/log/xdl/vda.log
2018-01-16 17:40:38.401 [ERROR] [25754] - RegistrationManager.AttemptRegistrationWithSingleDdc: Failed to register with http://x.x.x.x:80/Citrix/CdsController/IRegistrar. Error: General security error (An error occurred in trying to obtain a TGT: Receive timed out) ß Deregistration happened 2018-01-16 18:38:29.947 [ERROR] [37] - InformationManager.GetLDAPComputerSID: Failed to query LDAP server x.x.x.x:3891 for computer SID. Error: LDAP Search error: LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context. à Direct error accessing LDAP server
Resolution
Added multiple KDC servers in the configuration file like below
TEST.COM = {
kdc = KDC1.TEST.COM
kdc = KDC2.TEST.COM
}Problem Cause
Kerberos server mentioned in the /etc/krb5.conf went down. There was no redundant KDC servers mentioned in the configuration file which lead to this problemAdditional Information
- Check if the KDC servers mentioned in the krb5.conf are reachable.
- In some special cases, the network infrastructure may have problems with the UDP package, because it may be too big (exceeds the maximum UDP package size). As a result, the package will be fragmented and the KDC may not receive the package fragments in the correct order. As UDP is not a connection oriented protocol, this causes the KDC to fail processing the package. In this case, instead of replying to the client with a valid TGT, the KDC will respond with the following error message and the authentication process will be stopped:
KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Recommendation
----------------------
We can edit /etc/krb5.conf and under the [libdefaults] section, you can specify a TCP or UDP protocol preference. By default, Kerberos configuration uses the UDP protocol. However, the Kerberos supports a TCP or a UDP protocol configuration using the udp_preference_limit parameter. If you need to use the TCP protocol, specify the udp_preference_limit parameter with a 1 value to always use the TCP protocol. For example:
udp_preference_limit =1
- In some special cases, the network infrastructure may have problems with the UDP package, because it may be too big (exceeds the maximum UDP package size). As a result, the package will be fragmented and the KDC may not receive the package fragments in the correct order. As UDP is not a connection oriented protocol, this causes the KDC to fail processing the package. In this case, instead of replying to the client with a valid TGT, the KDC will respond with the following error message and the authentication process will be stopped:
KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Recommendation
----------------------
We can edit /etc/krb5.conf and under the [libdefaults] section, you can specify a TCP or UDP protocol preference. By default, Kerberos configuration uses the UDP protocol. However, the Kerberos supports a TCP or a UDP protocol configuration using the udp_preference_limit parameter. If you need to use the TCP protocol, specify the udp_preference_limit parameter with a 1 value to always use the TCP protocol. For example:
udp_preference_limit =1
Was this article helpful?
Yes
No
Powered by
