Loading Keytab in Gateway shows "Could not login 'Do not have keys of types listed in default_tkt_enctypes available'"
book
Article ID: 128900
calendar_today
Updated On:
Products
STARTER PACK-7CA Rapid App SecurityCA API Gateway
Issue/Introduction
During setup of Kerberos in the API Gateway, validation fails with the following error:
Could not login 'Do not have keys of types listed in default_tkt_enctypes available'
Environment
This applies to all Gateway versions (as of this publish date)
Windows Active Directory KDC
Cause
API Gateway overwrites the krb5.conf file on reboot, and the encryption types listed in that file may not contain the encryption type specified in the keytab file.
Resolution
Edit the krb5.conf file: vi /opt/SecureSpan/Gateway/node/default/var/krb5.conf
Edit the krb5.conf file to include the expected/desired encryption type such as aes128-cts-hmac-sha1-96 for example. Be sure to replace that example with whatever encryption type is needed.
Validate the Kerberos communication in Policy Manager after making the above change.
To make this change permanent, the kerberos.krb5Config.overwrite cluster property needs to be set to a value of false via Tasks -> Cluster Wide Properties.
Additional Information
An alternative resolution would be to generate a new keytab with the already supported default encryption types specified in the krb5.conf file.