Skip to main content

Search this Site

DartPulse Alerts

Chrome Printing Issues

 

DartPulse Outages

Overall System Status:

Upcoming Scheduled Outages

New to Dartmouth?

Resources for:

Information Security

Connect with ITS

facebook twitter Wordpress Blog

Testing and Troubleshooting Kerberos for Mac

Even with a clean Kerberos software installation, it is still possible to run into problems when trying to access Kerberos-controlled network services. The tips provided below may help with some of the more common problems.

If the problem you are having isn't covered here, please contact the IT Service Desk (Help Desk) at 646-2999, send e-mail to help@dartmouth.edu, or call your department's IT support office. It is always possible there is a problem with your computer's system software.

Testing the Kerberos Software Installation

  1. Make sure you have cleared any open tickets. Start Kerberos from the Applications\Utilities folder and destroy any tickets that are listed.

    floating

    If you see the floating window, click on its Close box to clear the ticket.
  2. Click on the Test Kerberos button below.
    If SideCar is installed correctly, the Sign On dialog box will appear (see below). Enter your Name and Password, and select an appropriate Realm (normally Dartmouth.edu).

    Sign on window
  3. Testing Successful: If the test was successful, a web page containing information similar to the image below will appear:

    congrats
  4. Testing Unsuccessful: If you do not see a web page similar to the image above, something went wrong with the test. In most cases, it usually means some part of your current installation is improperly configured or corrupted. This can happen, from time to time, with all software programs. Fortunately, it is easy to fix the problem with a fresh software installation.

    Download the latest version of the Kerberos software for your operating system. Once downloaded, run the installation program and restart your computer. Then, come back to this page and run through the testing steps again.

If the test is unsuccessful the second time through, it's possible there are some configuration problems with your installation. For some of the common configuration problems, see below. If you still have problems accessing the Kerberos-controlled network services, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.

Troubleshooting Kerberos Error Messages

Even with a correctly configured Kerberos setup, it is still possible to run into problems when trying to access Kerberos-controlled network services. Information about some of the standard Kerberos error codes is provided below.

Note: SideCar will not work on any Macintosh computer with an Intel processor, or any Macintosh computer manufactured after June 2006. On these machines, there is often no error message, but the system fails to authenticate.

Error code 3

If you are using a Macintosh and you receive an Error code 3, it probably means the clock on your Macintosh is set incorrectly (either the time or the time zone). The Macintosh is unable to obtain the correct time from the Kerberos ticket server to compensate for the clock error. To set the clock, go to the Date & Time System Preference and reset your clock to the correct time. If the problem persists, search for and throw out the edu.mit.kerberos file that is usually in the Users->yourusername->Library->Preferences folder. Empty your trash and restart your machine.

Error code 5

If you are using a Macintosh and you receive an Error code 5, it means you are using an incorrect password. The error text in the dialog box says Sorry, your password is incorrect. Please try again. Check to make sure the [Caps lock] key is not set. Verify that you are using the correct password.

Kerberos error 62: Password incorrect

If you are entering the correct BlitzMail password, but are still receiving a password incorrect error, change your BlitzMail password. The reason for this is arcane and fairly technical. To put it simply, BlitzMail uses an authentication process that may allow you to sign on if the password you type in is "one letter off" from your real password (for example, substituting an "m" for an "n"). So, you may be able to sign on to BlitzMail, but not able to sign on to other authenticated services.

If you are unable to change your password, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.

Kerberos error 79 and 81

If your DND name is longer than 38 characters, you will receive error 79 or error 81 from Kerberos. There is a limit to the length of your DND name in the Kerberos software. If your full DND name is longer than 38 characters, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your

Good Connection, But Still Receiving an Error Message

Because of some quirks in browser programs, it is possible you are able to successfully test your Kerberos installation, but still get an error page when you try to access a Kerberos-controlled Web site. If this occurs, it is likely your browser program (Internet Explorer, Safari, Firefox, etc.) has stored the error page in its memory cache. Since the browser program thinks you have already visited that page, you get an error instead of the correct page.

The solution is to empty the cache. With most browsers, the process requires going to the Preferences or Internet Options and selecting the Clear or Empty Cache option.

SideCar Is Not Installed

If you have already gone through the testing process and have installed a clean copy of the Kerberos software, but you are still getting an error message telling you SideCar is not installed, there are three possible reasons. They all prevent Kerberos from being able to contact your computer across the network and to obtain a ticket, even if you can see your name in the floating ticket window. They are:

  1. You are on an off-campus network that employs a Network Firewall. These devices (either hardware or software) block network traffic to uncommon programs like SideCar.
  2. You are dialed into an Internet Service Provider, like AOL, that uses a Network Address Translation system that provides your computer with a fake Internet address. This fake address prevents the Dartmouth network server from contacting SideCar on your computer.
  3. You are using a browser that is configured to connect through a Proxy Server. The Proxy Server makes all browser requests on your behalf, so the Dartmouth network server thinks the Proxy Server is running SideCar because it never sees your computer's Internet address.

With each of these, you may not be able to fix the problem. If that is the case, we recommend using a VPN connection ( Mac OS X, Windows), which creates a secure network connection between your computer and the Dartmouth network. Start the VPN connection on your computer, then obtain a Kerberos ticket.

If you don't have know how to use Dartmouth's VPN software see Using the Juniper VPN, or contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.

Computer Clock Is Out of Sync

If you get a "Time is out of bounds" error message, it usually means your computer's system clock is out of sync with the clock on the Kerberos ticket server. It is possible your computer has been set to an incorrect time zone, or your computer's clock is more than 10-15 minutes off from the Kerberos server's clock. The easiest way to fix this is to set the KClient/SideCar option for synchronizing your computer's clock with the Kerberos server clock.

For Mac OS X users, select System Preferences from the Apple menu, then Date & Time. Click the Set date & time automatically field and enter nts.dartmouth.edu in the field.

For Windows users, right-click on the Padlock (Kerberos) icon in your system tray and select the Synchronize Clock option. Try to access a Kerberos-controlled Web site again. If you still get a "Time is out of bounds" error message, you computer's clock may be set to a time zone other than the Eastern time zone. Double-click the Clock icon in your system tray, select the Time Zone tab and make sure it's set to Eastern Time (US & Canada) if you are in the eastern time zone. If you are in a different time zone, make sure the time is set to the correct time zone for where you are currently located and for which your computer's clock is set.

Incorrect Kerberos Realm

The Kerberos software we use at Dartmouth allows for one individual to check out a ticket from multiple Realms. The possible realms are:

  • Dartmouth.edu: Dartmouth College students, faculty, and staff.
  • Hitchcock.org: DHMC staff and DMS faculty members.
  • Dartmouth.org: Dartmouth alumni/ae.

If your Dartmouth affiliation is such that you are a member of more than one realm (for example, a DMS faculty member could be a member of dartmouth.edu and hitchcock.org), it is possible you are signing out a ticket from the wrong realm to access the Kerberos-controlled network service. Try closing your ticket and selecting a different realm from the pop-up menu when you are asked to sign out a new ticket.

Last Updated: 3/15/11