NASA Insignia
Site Title

Troubleshooting Enterprise Connect Headaches

 

How connecting to Enterprise is supposed to work (ASD documentation).

Enterprise Connect is a tool from Apple that handles "Kerberos tickets", where Kerberos tickets (along with the ticket-granting ticket (TGT)) are the glue that connects your badge, the NASA servers, your NDC password, and apps or websites on your computer.

Proper working behavior

When it is working, the Enterprise Connect icon (diagonal key in circle, shown in menu bar at the top of the screen) should be black (well, white if you have Dark Mode enabled!) and clicking on it should show

        Signed in as <your_AUID>@ndc.nasa.gov
        Password expires in XX days

Also, when it is working, you should be able to go Terminal and run "klist" to show your Kerberos tickets, e.g.,

%  klist
Credentials cache: API:C2F27ED8-4204-4395-AFA3-3B6049DAEB9B
        Principal: dfriedla@NDC.NASA.GOV

  Issued                Expires               Principal
Mar 16 08:52:48 2020  Mar 16 18:52:47 2020 krbtgt/NDC.NASA.GOV@NDC.NASA.GOV
Mar 16 08:52:49 2020  Mar 16 18:52:47 2020 HTTP/auth.launchpad.nasa.gov@NDC.NASA.GOV
Mar 16 08:52:50 2020  Mar 16 18:52:47 2020 ldap/ndnsadc02.ndc.nasa.gov@NDC.NASA.GOV

The expiration time will usually be ten hours after the 'issued' date.

Single Sign On (SSO)

When Enterprise Connect is working, then "single sign on" (sometimes you will see it as "SSO") functions properly:

  • Going to a Launchpad web site, you will see a page with "Attempting Single Sign On" flash up briefly, followed by "Successful Single Sign On", and a quick redirect where the web page you requested loads.
  • The same should be true for applications such as Microsoft Outlook and Microsoft Teams.

Non-working behavior

When it is not working, then one gets the ecAgent dialog box showing up multiple times per minute and "klist" is empty or shows expired entries.

In addition, "single sign-on" will not function, and Outlook and web sites will ask take you to the Launchpad login page and ask for your badge PIN.

Repairing Enterprise Connect

We have some tools in Self Service.app that can help with this, or you can do it manually.

Self Service

  • Search for "Enterprise" in the upper left search box.
  • Run 'Force EC Sign Out' or 'Reset Enterprise Connect' (both can be helpful (do them in that order)
  • 'Install Enterprise Connect [v2]' can sometimes make a difference. (I am usually not a fan of reinstalling applications because this does not affect settings or preferences. But I have seen it help here.)
  • The other two 'Get Launchpad Ticket' and 'GSFC Static Domain Controller' might also help but I would use caution about the latter if one travels to other NASA centers (not that anyone is traveling at the moment).

Get the sense that there is a "throw enough mud at a wall" approach to this? :-/

Manual approach

  • Select 'Open Enterprise Connect' from the key-in-circle menu bar icon.
  • Click 'Sign Out' button and confirm.
  • Select 'Quit' from Enterprise Connect menu next to the Apple menu (don't just close the little window).
  • Go to Terminal and do
            klist
            kdestroy
            klist           #this is just a crosscheck
    	
  • Still in Terminal, do
                    ps auxww | grep Enterprise | grep -v grep
    	
    If there are any Enterprise Connect elements showing up, kill them by doing
                    kill -9 XXXX YYYY
    	
    where XXXX and YYYY are numbers that show up in the second column.
    Repeat the 'ps' command to make sure they're gone.
  • Now either wait a moment for the daemon that starts Enterprise Connect to kick it off again, or start it yourself (via Spotlight or from the Applications folder.
  • You will then need to reconfigure Enterprise Connect. Please follow these ASD instructions.

Checking smartcard badge and smartcard reader

If you have more fundamental concerns about whether your badge or smartcard reader are functioning, please see our debugging page.


David Friedlander
26 Mar 2020