Server monitoring connection status "Kerberos error" -1765328316: Realm not local to KDC.

Server monitoring connection status "Kerberos error" -1765328316: Realm not local to KDC.

3256
Created On 10/05/22 15:43 PM - Last Modified 10/22/25 23:37 PM


Symptom


The server monitoring connection status shows "Kerberos error".

GUI: Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor Account
error.png

Environment


  • Domain Controller being monitored using WinRM-HTTP as a transport method.
  • PAN NGFW using Agentless User-ID.

Cause


Userid.log of the firewall shows the below message which indicates the error:

Error: pan_user_id_krb5_init_ticket(pan_user_id_win.c:1982): failed to get krb5 tgt ticket with error -1765328316.
Error: pan_user_id_krb5_init_ticket(pan_user_id_win.c:2013): krb5 error -1765328316: Realm not local to KDC.

 

 

Resolution


  1. When configuring server monitoring with Kerberos authentication, ensure that the Domain’s DNS name corresponding to the Kerberos Realm is specified under the Server Monitor Account.
  2. Navigate to the Kerberos server profile on the NGFW. Ensure that it is properly configured.
    1. Note that on a Windows server, the FQDN of the Kerberos server can be found under Server Manager->Tools->DNS Manager-><name-of-server>->Forward Lookup Zones-><domain-name>

 

Screenshot 2025-01-06 at 9.10.42 PM.png

Additional Information



Check the KDC config file in the AD server for the domain name configured as the realm. It should be the same as the domain name under "Domain's DNS name".
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZPYCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language