2

When using MIT Kerberos Ticket Manager with PuTTY 0.65 and WinSCP 5.9.3, I am sometimes unable to get a connnection to the server I am logging into. PuTTY will respond with either No supported authentication methods available (server sent: ) or No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)

It seems to happen most often if I try to connect to the server before remembering to obtain a ticket first. After getting a ticket, I will keep getting the same error every time I try. It sometimes resolves itself after about an hour.

The connection to both the authentication server and the server I'm trying to connect to operates over a VPN.

I don't get any issues when using Cygwin + kinit.

Here's my log:

. 2017-01-28 14:04:38.979 Server offered these authentication methods: publickey,gssapi-keyex,gssapi-with-mic
. 2017-01-28 14:04:38.980 Using SSPI from SECUR32.DLL
. 2017-01-28 14:04:38.980 Attempting GSSAPI authentication
. 2017-01-28 14:04:39.008 GSSAPI authentication initialisation failed
. 2017-01-28 14:04:39.008 No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure.
. 2017-01-28 14:04:39.008 Disconnected: No supported authentication methods available (server sent: )
* 2017-01-28 14:04:39.060 (EFatal) Disconnected: No supported authentication methods available (server sent: )
Slipeer
  • 3,255
  • 2
  • 18
  • 32
Chris Watts
  • 265
  • 1
  • 3
  • 11

1 Answers1

2

Check your DNS settings when the problem is reproduced runing ipconfig /all. Among DNS servers should not be anyone who does not know about the domain to which your server.

You can check this by run for each DNS server ip:

nslookup -type=srv _kerberos._tcp.<your server REALM> <DNS server ip>

If the query does not return any entries for some servers - try to remove this server from your settings, clean DNS cache (ipconfig /flushdns) and retry connection.

I don't get any issues when using Cygwin + kinit.

I believe that Cygwin uses own DNS configuration from /etc/resole.conf so to him the problem does not play.

Slipeer
  • 3,255
  • 2
  • 18
  • 32
  • Excellent answer, especially with the nslookup command debugging hint. It did turn out to be a DNS issue. My ISP's DNS is unreachable through the VPN so unless I contact the Kerberos realm before tunnel my connection, the lookup will time out. Changing my DNS servers to Google's public DNS works well. – Chris Watts Feb 06 '17 at 14:45