Authentication issues

Kerberos authentication failed

Try one or more of the following:

Check the diagnostic log

  1. Open a web browser, and then type IP/se, where IP is the printer IP address.

  2. Click Embedded Solutions, and then do the following:

    1. Clear the log file.

    2. Set the logging level to Yes.

    3. Generate the log file.

  3. Analyze the log, and then resolve the problem.

    Note: After analyzing the log, set the logging level to No.

Make sure that the configuration file is installed on the printer


Make sure that the configuration file content and format are correct


Make sure that the Kerberos realm is in uppercase


Specify the Microsoft® Windows® operating system domain


Contact your Lexmark representative

Cannot generate or read certificate information from the smart card

Try one or more of the following:

Make sure that the certificate information on the smart card is correct


Contact your Lexmark representative

Cannot validate the domain controller

Try one or more of the following:

Make sure that the realm, domain controller, and domain in the Kerberos configuration file are correct


Increase the domain controller timeout value


Make sure that the domain controller is available

Use commas to separate multiple values. The domain controllers are validated in the order listed.


Make sure that port 88 is not blocked between the printer and the domain controller

Cannot validate the domain controller certificate

Try one or more of the following:

Make sure that the certificates that are installed on the printer are correct

For more information, see Installing certificates manually.


Make sure that the domain controller validation method is configured properly

  1. From the Embedded Web Server, navigate to the configuration page for the application:

    Apps > Smart Card Authentication Client > Configure

  2. From the Smart Card Setup section, in the Domain Controller Validation menu, select the appropriate validation method.

  3. Click Apply.

Cannot find realm in the Kerberos configuration file

Add or change the realm

Domain controller and device clocks are out of sync

Make sure that the time difference between the printer and the domain controller does not exceed five minutes

For more information, see Setting the date and time.

Cannot validate the domain controller certificate chain

Try one or more of the following:

Make sure that all certificates required for chain validation are installed on the printer and that the information is correct

For more information, see Installing certificates manually.


Make sure that the certificate chain is from the domain controller to the root CA


Make sure that all certificates are not expired

  1. From the Embedded Web Server, click Settings > Security > Certificate Management.

  2. Make sure that the Valid From and Valid To dates have not expired.


Allow users to log in even if the status of one or more certificates is unknown

  1. From the Embedded Web Server, navigate to the configuration page for the application:

    Apps > Smart Card Authentication Client > Configure

  2. From the Online Certificate Status Protocol (OCSP) section, select Allow Unknown Status.

  3. Click Apply.


Contact your Lexmark representative

Cannot connect to the OCSP responder

Try one or more of the following:

Make sure that the OCSP responder URL is correct

  1. From the Embedded Web Server, navigate to the configuration page for the application:

    Apps > Smart Card Authentication Client > Configure

  2. From the Online Certificate Status Protocol (OCSP) section, make sure that the responder URL is correct.

  3. Click Apply.


Increase the responder timeout value

  1. From the Embedded Web Server, navigate to the configuration page for the application:

    Apps > Smart Card Authentication Client > Configure

  2. From the Online Certificate Status Protocol (OCSP) section, in the Responder Timeout field, enter a value from 5 to 30.

  3. Click Apply.

Cannot validate the domain controller certificate against the OCSP responder

Try one or more of the following:

Make sure that the OCSP responder URL and the responder certificate are configured correctly

  1. From the Embedded Web Server, navigate to the configuration page for the application:

    Apps > Smart Card Authentication Client > Configure

  2. From the Online Certificate Status Protocol (OCSP) section, in the Responder URL field, specify the following:

    • IP address or host name of the OCSP responder or repeater

    • Port number used

    For example, http://x:y, where x is the IP address and y is the port number.

  3. In the Responder Certificate field, browse to the appropriate certificate.

  4. Click Apply.


Make sure that the domain controller returns the correct certificate


Make sure that the OCSP responder validates the correct domain controller certificate

Cannot access individual applications and functions on the printer

Try one or more of the following:

Allow secure access to applications or functions

For more information, see Securing access to individual applications and functions.


If the user belongs to an Active Directory group, then make sure that the group is authorized to access the applications and functions