Thursday, December 17, 2015

Zenoss Monitoring WinRM Error (Server not found in Kerberos database: HTTP@XX.XX.XX.XX

We recently rolled out Zenoss 5 in an environment and when we attempted to connect to Windows Servers over WinRM using a domain user received the below error:

Error on : Server not found in Kerberos database: HTTP@10.xx.xx.xx

  
After doing a tcpdump on the Zenoss server using "tcpdump -s 65535 -w filename.dmp"and loading the results into wireshark I found this in the traffic between Zenoss and the Domain Controller:
Turns out the Zenoss server was looking for an SPN of the FQDN of my Windows host and not the hostname. We went ahead and added a new SPN for the FQDN using "setspn -S HTTP/ < FQDN > < hostname >" and that resolved the issues!

One other side note: In one of the Zenoss documents that I saw it mentioned the need to install the krb5-workstation package on your remote collectors. This is easily accomplished by "yum -y install krb5-workstation" but due to the sequence of of my troubleshooting I cannot prove/disprove that it made a difference. If anyone finds this and can sort out that detail I'd be happy to hear the results.