Troubleshooting Enterprise Connect Headaches
How connecting to Enterprise is supposed to work (ASD documentation).
Enterprise Connect is a tool from Apple that handles "Kerberos tickets", where Kerberos tickets (along with the ticket-granting ticket (TGT)) are the glue that connects your badge, the NASA servers, your NDC password, and apps or websites on your computer.
Proper working behavior
When it is working, the Enterprise Connect icon (diagonal key in circle, shown in menu bar at the top of the screen) should be black (well, white if you have Dark Mode enabled!) and clicking on it should show
Signed in as <your_AUID>@ndc.nasa.gov Password expires in XX days
Also, when it is working, you should be able to go Terminal and run "klist" to show your Kerberos tickets, e.g.,
% klist Credentials cache: API:C2F27ED8-4204-4395-AFA3-3B6049DAEB9B Principal: dfriedla@NDC.NASA.GOV Issued Expires Principal Mar 16 08:52:48 2020 Mar 16 18:52:47 2020 krbtgt/NDC.NASA.GOV@NDC.NASA.GOV Mar 16 08:52:49 2020 Mar 16 18:52:47 2020 HTTP/auth.launchpad.nasa.gov@NDC.NASA.GOV Mar 16 08:52:50 2020 Mar 16 18:52:47 2020 ldap/ndnsadc02.ndc.nasa.gov@NDC.NASA.GOV
The expiration time will usually be ten hours after the 'issued' date.
Single Sign On (SSO)
When Enterprise Connect is working, then "single sign on" (sometimes you
will see it as "SSO") functions properly:
- Going to a Launchpad web site, you will see a page with "Attempting Single Sign On" flash up briefly, followed by "Successful Single Sign On", and a quick redirect where the web page you requested loads.
- The same should be true for applications such as Microsoft Outlook and Microsoft Teams.
Non-working behavior
When it is not working, then one gets the ecAgent dialog box showing up multiple times per minute and "klist" is empty or shows expired entries.
In addition, "single sign-on" will not function, and Outlook and web sites will ask take you to the Launchpad login page and ask for your badge PIN.
Repairing Enterprise Connect
We have some tools in Self Service.app that can help with this, or you can do it manually.
Self Service
- Search for "Enterprise" in the upper left search box.
- Run 'Force EC Sign Out' or 'Reset Enterprise Connect' (both can be helpful (do them in that order)
- 'Install Enterprise Connect [v2]' can sometimes make a difference. (I am usually not a fan of reinstalling applications because this does not affect settings or preferences. But I have seen it help here.)
- The other two 'Get Launchpad Ticket' and 'GSFC Static Domain Controller' might also help but I would use caution about the latter if one travels to other NASA centers (not that anyone is traveling at the moment).
Get the sense that there is a "throw enough mud at a wall" approach to this? :-/
Manual approach
- Select 'Open Enterprise Connect' from the key-in-circle menu bar icon.
- Click 'Sign Out' button and confirm.
- Select 'Quit' from Enterprise Connect menu next to the Apple menu (don't just close the little window).
- Go to Terminal and do
klist kdestroy klist #this is just a crosscheck
- Still in Terminal, do
ps auxww | grep Enterprise | grep -v grep
If there are any Enterprise Connect elements showing up, kill them by doingkill -9 XXXX YYYY
where XXXX and YYYY are numbers that show up in the second column.
Repeat the 'ps' command to make sure they're gone. - Now either wait a moment for the daemon that starts Enterprise Connect to kick it off again, or start it yourself (via Spotlight or from the Applications folder.
- You will then need to reconfigure Enterprise Connect. Please follow these ASD instructions.
Checking smartcard badge and smartcard reader
If you have more fundamental concerns about whether your badge or smartcard reader are functioning, please see our debugging page.
David Friedlander
26 Mar 2020