Kerberos authentication failed

Try one or more of the following:

Check the diagnostic log

1. Open a web browser, and then type IP/se, where IP is the printer IP address.

2. Click Embedded Solutions, and then do the following:

   1. Clear the log file.

   2. Set the logging level to Yes.

   3. Generate the log file.

3. Analyze the log, and then resolve the problem.

   Note: After analyzing the log, set the logging level to No.

Make sure that the configuration file is installed on the printer

• If you are using simple Kerberos setup to create the Kerberos configuration file, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, make sure that the realm, domain controller, domain, and timeout values are correct.

• If you are using the device Kerberos setup file, then do the following:

  1. From the Embedded Web Server, click Settings > Security > Login Methods.

  2. From the Network Accounts section, click Kerberos > View File.

  3. If the Kerberos configuration file is not installed, then in the Import Kerberos File section, browse to the appropriate krb5.conf file.

  4. Click Save and Verify.

Make sure that the configuration file content and format are correct

• If you are using simple Kerberos setup, then modify the simple Kerberos setup settings.

• If you are using the device Kerberos setup file, then modify and reinstall the file.

Make sure that the Kerberos realm is in uppercase

• If you are using simple Kerberos setup, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, make sure that the realm is correct and that it is typed in uppercase.

  3. Click Apply.

• If you are using the device Kerberos setup file, then do the following:

  1. From the Embedded Web Server, click Settings > Security > Login Methods.

  2. From the Network Accounts section, click Kerberos > View File.

  3. Make sure that the realms in the configuration file are typed in uppercase.

Specify the Microsoft® Windows® operating system domain

• If you are using simple Kerberos setup, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, in the Domain field, add the Windows domain in the Domain field.

     For example, if the Domain field value is DomainName,.DomainName, and the Windows domain is x.y.z, then change the Domain field value to DomainName,.DomainName,x.y.z.

     Note: The domain is case sensitive.

  3. Click Apply.

• If you are using the device Kerberos setup file, then add an entry to the domain_realm section of the file. Type the Windows domain realm in uppercase, and then reinstall the file on the printer.

Contact your Lexmark representative

Cannot generate or read certificate information from the smart card

Try one or more of the following:

Make sure that the certificate information on the smart card is correct

Contact your Lexmark representative

Cannot validate the domain controller

Try one or more of the following:

Make sure that the realm, domain controller, and domain in the Kerberos configuration file are correct

• If you are using simple Kerberos setup, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, make sure that the realm, domain controller, and domain are correct.

• If you are using the device Kerberos setup file, then do the following:

  1. From the Embedded Web Server, click Settings > Security > Login Methods.

  2. From the Network Accounts section, click Kerberos > View file.

  3. Make sure that the realm, domain controller, and domain are correct.

Increase the domain controller timeout value

• If you are using simple Kerberos setup, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, in the Timeout field, enter a value from 3 to 30 seconds.

  3. Click Apply.

• If you are using the device Kerberos setup file, then enter a value from 3 to 30 seconds. When you are finished, reinstall the file on the printer. For more information on configuring the smart card settings, see Configuring the smart card settings.

Make sure that the domain controller is available

Use commas to separate multiple values. The domain controllers are validated in the order listed.

Make sure that port 88 is not blocked between the printer and the domain controller

Cannot validate the domain controller certificate

Try one or more of the following:

Make sure that the certificates that are installed on the printer are correct

For more information, see Installing certificates manually.

Make sure that the domain controller validation method is configured properly

1. From the Embedded Web Server, navigate to the configuration page for the application:

   Apps > Smart Card Authentication Client > Configure

2. From the Smart Card Setup section, in the Domain Controller Validation menu, select the appropriate validation method.

3. Click Apply.

Cannot find realm in the Kerberos configuration file

Add or change the realm

• If you are using simple Kerberos setup, then do the following:

  1. From the Embedded Web Server, navigate to the configuration page for the application:

     Apps > Smart Card Authentication Client > Configure

  2. From the Simple Kerberos Setup section, in the Realm field, add or change the realm. The realm must be typed in uppercase.

     Note: The simple Kerberos setup does not support multiple Kerberos realm entries. If multiple realms are needed, then install a Kerberos configuration file containing the necessary realms.

  3. Click Apply.

• If you are using the device Kerberos setup file, then add or change the realm in the file. The realm must be typed in uppercase. When you are finished, reinstall the file on the printer.

Domain controller and device clocks are out of sync

Make sure that the time difference between the printer and the domain controller does not exceed five minutes

For more information, see Setting the date and time.

Cannot validate the domain controller certificate chain

Try one or more of the following:

Make sure that all certificates required for chain validation are installed on the printer and that the information is correct

For more information, see Installing certificates manually.

Make sure that the certificate chain is from the domain controller to the root CA

Make sure that all certificates are not expired

1. From the Embedded Web Server, click Settings > Security > Certificate Management.

2. Make sure that the Valid From and Valid To dates have not expired.

Allow users to log in even if the status of one or more certificates is unknown

1. From the Embedded Web Server, navigate to the configuration page for the application:

   Apps > Smart Card Authentication Client > Configure

2. From the Online Certificate Status Protocol (OCSP) section, select Allow Unknown Status.

3. Click Apply.

Contact your Lexmark representative

Cannot connect to the OCSP responder

Try one or more of the following:

Make sure that the OCSP responder URL is correct

1. From the Embedded Web Server, navigate to the configuration page for the application:

   Apps > Smart Card Authentication Client > Configure

2. From the Online Certificate Status Protocol (OCSP) section, make sure that the responder URL is correct.

3. Click Apply.

Increase the responder timeout value

1. From the Embedded Web Server, navigate to the configuration page for the application:

   Apps > Smart Card Authentication Client > Configure

2. From the Online Certificate Status Protocol (OCSP) section, in the Responder Timeout field, enter a value from 5 to 30.

3. Click Apply.

Cannot validate the domain controller certificate against the OCSP responder

Try one or more of the following:

Make sure that the OCSP responder URL and the responder certificate are configured correctly

1. From the Embedded Web Server, navigate to the configuration page for the application:

   Apps > Smart Card Authentication Client > Configure

2. From the Online Certificate Status Protocol (OCSP) section, in the Responder URL field, specify the following:

   • IP address or host name of the OCSP responder or repeater

   • Port number used

   For example, http://x:y, where x is the IP address and y is the port number.

3. In the Responder Certificate field, browse to the appropriate certificate.

4. Click Apply.

Make sure that the domain controller returns the correct certificate

Make sure that the OCSP responder validates the correct domain controller certificate

Cannot access individual applications and functions on the printer

Try one or more of the following:

Allow secure access to applications or functions

For more information, see Securing access to individual applications and functions.

If the user belongs to an Active Directory group, then make sure that the group is authorized to access the applications and functions