Single Sign-on (SSO) login stopped working for five FMSs (4254027)

Single Sign-on (SSO) login stopped working for five Foglight Management Servers (FMSs).  SSO stopped working for two FMSs in the morning and stopped working for the other three FMSs in the afternoon.

The configuration in the krb5.config and krb5-auth.config files had not been changed.

The setspn -X -F output did not reveal any duplicates.

Messages like the following were reported in the ManagementServer log when a FMS was restarted:

YYYY-MM-DD hh:mm:ss.SSS INFO    [forge-startup] com.quest.nitro.service.ServiceMBeanUtil - Krb5Authentication Service Starting...
...
YYYY-MM-DD hh:mm:ss.SSS ERROR   [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
...
Caused by: KrbException: Client not found in Kerberos database (6)
...
Caused by: KrbException: Identifier doesn't match expected value (906)

When SSO debug was enabled and a FMS was restarted the following messages were reported:

YYYY-MM-DD hh:mm:ss.SSS INFO    [forge-startup] com.quest.nitro.service.ServiceMBeanUtil - Krb5Authentication Service Starting...
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] com.quest.common.config.Config - Loaded configuration "Krb5AuthConfig" from "C:\Quest_Software\Foglight\config\krb5-auth.config":
...
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT - >>> KdcAccessibility: remove KDC_host_name
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT - >>> KDCRep: init() encoding tag is 126 req type is 11
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT - >>>KRBError:
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      sTime is Wed Jan 31 11:47:26 PST 2018 1517428046000
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      suSec is 543086
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      error code is 6
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      error Message is Client not found in Kerberos database
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      sname is krbtgt/domain.com@domain.com
YYYY-MM-DD hh:mm:ss.SSS VERBOSE [forge-startup] STDOUT -      msgType is 30
YYYY-MM-DD hh:mm:ss.SSS ERROR   [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.

The user principal name (UPN) associated with the service account used to generate the keytab file was changed from "HTTP/fmshost.domain.com@DOMAIN.COM" to "user@domain.com" shortly before SSO stopped working for the first two FMSs.

The change was made because the UPN was flagged by the IdFix tool, which had been run to check for possible issues with Exchange.  The account is not mail enabled so the UPN didn't actually need to be change.

The change to the UPN was reverted.  The UPN associated with the service account was changed back to "HTTP/fmshost.domain.com@DOMAIN.COM", and the FMSs were restarted.