kerberos Preauthentication failed
search cancel

kerberos Preauthentication failed

book

Article ID: 137632

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We're running a Web Agent and when it processes kerberos

authentication scheme, the Web Agent reports error and it can't handle

the request :

 

  [08/05/2019][05:10:22][2484][5060][SmKCC.cpp:111][SmKcc::getCredentials][<Transaction ID>][*10.0.0.2][][MyWebAgent][/myfederation/mykerberos.asp][][Kerberos Credential Cache login failed with service principal HTTP/myserver.example[email protected]

 

  [6316] 1565004402.706001: Getting initial credentials for HTTP/myserver.example[email protected]

  [6316] 1565004402.706002: Setting initial creds service to krbtgt/[email protected]

  [6316] 1565004402.706003: Looked up etypes in keytab: rc4-hmac

  [6316] 1565004402.706004: Sending request (196 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.706005: Resolving hostname 10.0.0.1

  [6316] 1565004402.706006: Sending initial UDP request to dgram 10.0.0.1:88

  [6316] 1565004402.706007: Received answer from dgram 10.0.0.1:88

  [6316] 1565004402.753000: Response was not from master KDC

  [6316] 1565004402.753001: Received error from KDC: -1765328359/Additional pre-authentication required

  [6316] 1565004402.753003: Processing preauth types: 16, 15, 11, 19, 2

  [6316] 1565004402.753004: Selected etype info: etype rc4-hmac, salt "", params ""

  [6316] 1565004402.753005: Retrieving HTTP/myserver.example[email protected] from FILE:C:\WINDOWS\mykeytab.keytab (vno 0, enctype rc4-hmac) with result: 0/Success

  [6316] 1565004402.753006: AS key obtained for encrypted timestamp: rc4-hmac/508C

  [6316] 1565004402.753008: Encrypted timestamp (for 1565004402.215195): plain ####, encrypted ####

  [6316] 1565004402.753009: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success

  [6316] 1565004402.753010: Produced preauth for next request: 2

  [6316] 1565004402.753011: Sending request (272 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.753012: Resolving hostname 10.0.0.1

  [6316] 1565004402.753013: Sending initial UDP request to dgram 10.0.0.1:88

  [6316] 1565004402.815000: Received answer from dgram 10.0.0.1:88

  [6316] 1565004402.831000: Response was not from master KDC

  [6316] 1565004402.831001: Received error from KDC: -1765328360/Preauthentication failed

 

How can we fix this ?

 

Environment

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR IIS

Cause

Delegation is *required* for Kerberos authentication using SSO

Web Agent/Access Gateway and SSO Policy Server to work.


The delegation configuration is on the web agent/access gateway

account in Active Directory (in ADUC on Delegation tab). Choose to

delegate to specific services (this is constrained delegation) and

select the "smps/...@..." service name.


A recent update from Microsoft has disabled *unconstrained* delegation

so constrained delegation is now required.


That's why there's no alternate way to configure it from our

documentation.


Resolution

Enabling delegation for the Web Agent solved the issue.