We're running a Web Agent and when it processes kerberos

authentication scheme, the Web Agent reports error and it can't handle

the request :

  [08/05/2019][05:10:22][2484][5060][SmKCC.cpp:111][SmKcc::getCredentials][<Transaction ID>][*10.0.0.2][][MyWebAgent][/myfederation/mykerberos.asp][][Kerberos Credential Cache login failed with service principal HTTP/myserver.example[email protected]

  [6316] 1565004402.706001: Getting initial credentials for HTTP/myserver.example[email protected]

  [6316] 1565004402.706002: Setting initial creds service to krbtgt/[email protected]

  [6316] 1565004402.706003: Looked up etypes in keytab: rc4-hmac

  [6316] 1565004402.706004: Sending request (196 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.706005: Resolving hostname 10.0.0.1

  [6316] 1565004402.706006: Sending initial UDP request to dgram 10.0.0.1:88

  [6316] 1565004402.706007: Received answer from dgram 10.0.0.1:88

  [6316] 1565004402.753000: Response was not from master KDC

  [6316] 1565004402.753001: Received error from KDC: -1765328359/Additional pre-authentication required

  [6316] 1565004402.753003: Processing preauth types: 16, 15, 11, 19, 2

  [6316] 1565004402.753004: Selected etype info: etype rc4-hmac, salt "", params ""

  [6316] 1565004402.753005: Retrieving HTTP/myserver.example[email protected] from FILE:C:\WINDOWS\mykeytab.keytab (vno 0, enctype rc4-hmac) with result: 0/Success

  [6316] 1565004402.753006: AS key obtained for encrypted timestamp: rc4-hmac/508C

  [6316] 1565004402.753008: Encrypted timestamp (for 1565004402.215195): plain ####, encrypted ####

  [6316] 1565004402.753009: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success

  [6316] 1565004402.753010: Produced preauth for next request: 2

  [6316] 1565004402.753011: Sending request (272 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.753012: Resolving hostname 10.0.0.1

  [6316] 1565004402.753013: Sending initial UDP request to dgram 10.0.0.1:88

  [6316] 1565004402.815000: Received answer from dgram 10.0.0.1:88

  [6316] 1565004402.831000: Response was not from master KDC

  [6316] 1565004402.831001: Received error from KDC: -1765328360/Preauthentication failed

How can we fix this ?

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR IIS

Delegation is *required* for Kerberos authentication using SSO

Web Agent/Access Gateway and SSO Policy Server to work.

The delegation configuration is on the web agent/access gateway

account in Active Directory (in ADUC on Delegation tab). Choose to

delegate to specific services (this is constrained delegation) and

select the "smps/...@..." service name.

A recent update from Microsoft has disabled *unconstrained* delegation

so constrained delegation is now required.

That's why there's no alternate way to configure it from our

documentation.

Enabling delegation for the Web Agent solved the issue.