search cancel

Loading Keytab in Gateway shows "Could not login 'Do not have keys of types listed in default_tkt_enctypes available'"

book

Article ID: 128900

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

  • During setup of Kerberos in the API Gateway, validation fails with the following error:
    • Could not login 'Do not have keys of types listed in default_tkt_enctypes available'

Environment

  • This applies to all Gateway versions (as of this publish date)
  • Windows Active Directory KDC

Cause

  • API Gateway overwrites the krb5.conf file on reboot, and the encryption types listed in that file may not contain the encryption type specified in the keytab file.

Resolution

  1. Edit the krb5.conf file: vi /opt/SecureSpan/Gateway/node/default/var/krb5.conf
  2. Edit the krb5.conf file to include the expected/desired encryption type such as aes128-cts-hmac-sha1-96 for example. Be sure to replace that example with whatever encryption type is needed.

    [libdefaults]
    default_realm = <default_realm>
    default_tkt_enctypes = aes128-cts-hmac-sha1-96,rc4-hmac,des-cbc-md5

  3. Validate the Kerberos communication in Policy Manager after making the above change.
  4. To make this change permanent, the kerberos.krb5Config.overwrite cluster property needs to be set to a value of false via Tasks -> Cluster Wide Properties.

Additional Information

  • An alternative resolution would be to generate a new keytab with the already supported default encryption types specified in the krb5.conf file.