Even with a clean Kerberos software installation, it is still possible to run into problems when trying to access Kerberos-controlled network services. The tips provided below may help with some of the more common problems.
If the problem you are having isn't covered here, please contact the IT Service Desk (Help Desk) at 646-2999, send e-mail to help@dartmouth.edu, or call your department's IT support office. It is always possible there is a problem with your computer's system software.
If the test is unsuccessful the second time through, it's possible there are some configuration problems with your installation. For some of the common configuration problems, see below. If you still have problems accessing the Kerberos-controlled network services, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.
Even with a correctly configured Kerberos setup, it is still possible to run into problems when trying to access Kerberos-controlled network services. Information about some of the standard Kerberos error codes is provided below.
Note: SideCar will not work on any Macintosh computer with an Intel processor, or any Macintosh computer manufactured after June 2006. On these machines, there is often no error message, but the system fails to authenticate.
If you are using a Macintosh and you receive an Error code 3, it probably means the clock on your Macintosh is set incorrectly (either the time or the time zone). The Macintosh is unable to obtain the correct time from the Kerberos ticket server to compensate for the clock error. To set the clock, go to the Date & Time System Preference and reset your clock to the correct time. If the problem persists, search for and throw out the edu.mit.kerberos file that is usually in the Users->yourusername->Library->Preferences folder. Empty your trash and restart your machine.
If you are using a Macintosh and you receive an Error code 5, it means you are using an incorrect password. The error text in the dialog box says Sorry, your password is incorrect. Please try again. Check to make sure the [Caps lock] key is not set. Verify that you are using the correct password.
If you are entering the correct BlitzMail password, but are still receiving a password incorrect error, change your BlitzMail password. The reason for this is arcane and fairly technical. To put it simply, BlitzMail uses an authentication process that may allow you to sign on if the password you type in is "one letter off" from your real password (for example, substituting an "m" for an "n"). So, you may be able to sign on to BlitzMail, but not able to sign on to other authenticated services.
If you are unable to change your password, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.
If your DND name is longer than 38 characters, you will receive error 79 or error 81 from Kerberos. There is a limit to the length of your DND name in the Kerberos software. If your full DND name is longer than 38 characters, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your
Because of some quirks in browser programs, it is possible you are able to successfully test your Kerberos installation, but still get an error page when you try to access a Kerberos-controlled Web site. If this occurs, it is likely your browser program (Internet Explorer, Safari, Firefox, etc.) has stored the error page in its memory cache. Since the browser program thinks you have already visited that page, you get an error instead of the correct page.
The solution is to empty the cache. With most browsers, the process requires going to the Preferences or Internet Options and selecting the Clear or Empty Cache option.
If you have already gone through the testing process and have installed a clean copy of the Kerberos software, but you are still getting an error message telling you SideCar is not installed, there are three possible reasons. They all prevent Kerberos from being able to contact your computer across the network and to obtain a ticket, even if you can see your name in the floating ticket window. They are:
With each of these, you may not be able to fix the problem. If that is the case, we recommend using a VPN connection ( Mac OS X, Windows), which creates a secure network connection between your computer and the Dartmouth network. Start the VPN connection on your computer, then obtain a Kerberos ticket.
If you don't have know how to use Dartmouth's VPN software see Using the Juniper VPN, or contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.
If you get a "Time is out of bounds" error message, it usually means your computer's system clock is out of sync with the clock on the Kerberos ticket server. It is possible your computer has been set to an incorrect time zone, or your computer's clock is more than 10-15 minutes off from the Kerberos server's clock. The easiest way to fix this is to set the KClient/SideCar option for synchronizing your computer's clock with the Kerberos server clock.
For Mac OS X users, select System Preferences from the Apple menu, then Date & Time. Click the Set date & time automatically field and enter nts.dartmouth.edu in the field.
For Windows users, right-click on the Padlock (Kerberos) icon in your system tray and select the Synchronize Clock option. Try to access a Kerberos-controlled Web site again. If you still get a "Time is out of bounds" error message, you computer's clock may be set to a time zone other than the Eastern time zone. Double-click the Clock icon in your system tray, select the Time Zone tab and make sure it's set to Eastern Time (US & Canada) if you are in the eastern time zone. If you are in a different time zone, make sure the time is set to the correct time zone for where you are currently located and for which your computer's clock is set.
The Kerberos software we use at Dartmouth allows for one individual to check out a ticket from multiple Realms. The possible realms are:
If your Dartmouth affiliation is such that you are a member of more than one realm (for example, a DMS faculty member could be a member of dartmouth.edu and hitchcock.org), it is possible you are signing out a ticket from the wrong realm to access the Kerberos-controlled network service. Try closing your ticket and selecting a different realm from the pop-up menu when you are asked to sign out a new ticket.
