Loading Keytab in Gateway shows "Could not login 'Do not have keys of types listed in default_tkt_enctypes available'"
Article ID: 128900
CA Rapid App Security
CA API Gateway
- During setup of Kerberos in the API Gateway, validation fails with the following error:
- Could not login 'Do not have keys of types listed in default_tkt_enctypes available'
- This applies to all Gateway versions (as of this publish date)
- Windows Active Directory KDC
- API Gateway overwrites the krb5.conf file on reboot, and the encryption types listed in that file may not contain the encryption type specified in the keytab file.
- Edit the krb5.conf file: vi /opt/SecureSpan/Gateway/node/default/var/krb5.conf
- Edit the krb5.conf file to include the expected/desired encryption type such as aes128-cts-hmac-sha1-96 for example. Be sure to replace that example with whatever encryption type is needed.
default_realm = <default_realm>
default_tkt_enctypes = aes128-cts-hmac-sha1-96,rc4-hmac,des-cbc-md5
- Validate the Kerberos communication in Policy Manager after making the above change.
- To make this change permanent, the kerberos.krb5Config.overwrite cluster property needs to be set to a value of false via Tasks -> Cluster Wide Properties.
- An alternative resolution would be to generate a new keytab with the already supported default encryption types specified in the krb5.conf file.