Troubleshoot Kerberos Server Integration Errors

Failed Logins

If a user cannot log in to BeyondTrust using valid credentials, please check that at least one of the following sets of criteria is met.

  1. The user has been expressly added to an existing group policy.
  2. A default group policy has been set for the security provider configuration created to access the server against which the user is authenticating.
  3. The user is a member of a group that has been expressly added to an existing group policy, and both user authentication and group lookup are configured and linked.

Error 6ca and Slow Logins

  1. A 6ca error is a default response signifying that the B Series Appliance has not heard back from the DNS server. It may occur when attempting to log in to the representative console.
  2. If users are experiencing extremely slow logins or are receiving the 6ca error, verify that DNS is configured in your /appliance interface.

Troubleshooting Individual Providers

When configuring an authentication method tied to group lookup, it is important to configure user authentication first, then group lookup, and finally group policy memberships. When troubleshooting, you will want to work in reverse.

  1. Verify that the group policy is looking up valid data for a given provider and that you do not have any @@@ characters in the Policy Members field.
  2. If a group provider is configured, verify that its connection settings are valid and that its group Search Base DN is in the proper format.
  3. If you want to use group lookup, verify that the security provider is set to look up group memberships of authenticated users.
  4. To test the user provider, set a default policy and see if your users are able to log in.