Kerberos Extension Issue

Are you on a network that is able to see your domain? 

It's the same when i am connected to office network or home wifi. 

You may want to update/redeploy the /etc/krb5.conf file. Chance it may have gotten corrupt on that device.

 I have re-added the device to the conf profile jamf pro. Is there any other way I can try?

Did this issue in only one device or multiple devices affect with this, if its multiple devices i would check the connectivity, whether the AD is reachable from the Mac

2 devices as of now where 1 got fixed with just a restart but other one is not getting fixed. I ran kdestroy, kinit as well but no success.

When you open Terminal, enter this: 

dsconfigad -show

Do you get information returned? Maybe try to force unbind, then rebind.

I would not expect it to work from home unless you have a VPN in place that is tunneling traffic back to your on prem network for this.

Can you ping the FQDN from the device?

When I run dsconfigad -show, gives information which is correct. When running klist, it is giving error as "Cache not found" and kinit showing as "unable to reach any KDC in realm"

When you click the Kerberos Key in the menu bar, is the user signed in? Able to sign them out?

So just to confirm as others have asked and it's been danced around, are you able to ping the FQDN of the directory server(s)? You mention you re-added the configuration profile to the client. What did that entail? Typically removing a kerberos SSO extension config profile from a client requires a restart after the fact, at least in my past experiences. Are you binding to AD or another directory service or are you using the SSO extension with a local account?

Using SSO extension with local account. There is a config profile running in jamf pro and re-added the device and restarted.

No, normally it shows Sign out, Change Password  and Reconnect. But for the user it is just showing up Sign in as the only option. And also in the Kerberos Key it is showing "Network Credentials not available", when trying to sign in it showing the error in the screenshot attached.

So I'm looking through this thread and what I'm gleaming from it is this;

1. You have an endpoint running the Kerberos SSO extension with local accounts.

2. We still don't know if this endpoint has connectivity problems since you don't confirm or answer if you checked that. Pretty simple fire up terminal and ping mydirectoryserver. Even if the client still has internet accessibility that doesn't mean that someone could have changed the dns address to 8.8.8.8 for example and if your directory service is on-premise that would cause the problem you're seeing here.

3. Circling back to #1: @mvu Asked if you could run dsconfigad -show and see if it showed any results. You said: " gives information which is correct" but dsconfigad -show should really only show results if the Mac is bound to a directory service. If it's a Mac with a local account(s) and the extension nothing should show so I'm confused.

Just trying to get a clearer picture to better help you out.

1. It's correct.

2. I didn't check that yet. I will check that ping here.

3. dsconfigad -show -  this do run and provide all details which are correct. Ran klist gives this message- "Cache not found". Also kinit, gives this message- krb5_get_init_creds: unable to reach any KDC in realm.

Even I checked Network Account Server from User & groups, that shows the correct realm.

I checked for kerberos certificate in Keychain, even that is also present.

I tried the ping. The request getting timed out. "Request timeout for icmp_seq 0"

Well that narrows things down quite a bit. Are the client and server on the same network? To rule out dns issues can you ping the ip address of the server?

One thing more, when the device is connected to office network, the ping works fine.