Kerberos Credential Cache login failed with service principal and pre-authentication failed in Web Agent
search cancel

Kerberos Credential Cache login failed with service principal and pre-authentication failed in Web Agent

book

Article ID: 137632

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

Running a Web Agent, and when it processes Kerberos authentication scheme, the Web Agent reports an error and it can't handle the request:

webagent.trace:

[08/05/2019][05:10:22][2484][5060][SmKCC.cpp:111][SmKcc::getCredentials][][*10.0.0.2][][][][][Kerberos Credential Cache login failed with service principal HTTP/[email protected]

kerberos.log:

[6316] 1565004402.706001: Getting initial credentials for HTTP/[email protected]
[6316] 1565004402.706002: Setting initial creds service to krbtgt/[email protected]
[6316] 1565004402.706003: Looked up etypes in keytab: rc4-hmac
[6316] 1565004402.706004: Sending request (196 bytes) to MYSERVER.EXAMPLE.COM
[6316] 1565004402.706005: Resolving hostname 10.0.0.1
[6316] 1565004402.706006: Sending initial UDP request to dgram 10.0.0.1:88
[6316] 1565004402.706007: Received answer from dgram 10.0.0.1:88
[6316] 1565004402.753000: Response was not from master KDC
[6316] 1565004402.753001: Received error from KDC: -1765328359/Additional pre-authentication required
[6316] 1565004402.753003: Processing preauth types: 16, 15, 11, 19, 2
[6316] 1565004402.753004: Selected etype info: etype rc4-hmac, salt "", params ""
[6316] 1565004402.753005: Retrieving HTTP/[email protected] from FILE:C:\WINDOWS\keytab.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[6316] 1565004402.753006: AS key obtained for encrypted timestamp: rc4-hmac/508C
[6316] 1565004402.753008: Encrypted timestamp (for 1565004402.215195): plain ####, encrypted ####
[6316] 1565004402.753009: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[6316] 1565004402.753010: Produced preauth for next request: 2
[6316] 1565004402.753011: Sending request (272 bytes) to SERVER.EXAMPLE.COM
[6316] 1565004402.753012: Resolving hostname 10.0.0.1
[6316] 1565004402.753013: Sending initial UDP request to dgram 10.0.0.1:88
[6316] 1565004402.815000: Received answer from dgram 10.0.0.1:88
[6316] 1565004402.831000: Response was not from master KDC
[6316] 1565004402.831001: Received error from KDC: -1765328360/Preauthentication failed

Cause

Delegation is "required" for Kerberos authentication using SiteMinder.

The Web Agent or the CA Access Gateway (SPS) and the Policy Server to work.

The delegation configuration is on the Web Agent and the CA Access Gateway (SPS) account in Active Directory (in ADUC on Delegation tab).

Choose to delegate to specific services (this is constrained by delegation) and select the "smps/...@..." service name.

A recent update from Microsoft has disabled "unconstrained" delegation, so constrained delegation is now required.

That's why there's no alternative way to configure it (1).

Resolution

Enable delegation for the Web Agent to solve the issue.

Additional Information

Powered by Wolken Software