We're running a Web Agent and when it processes kerberos
authentication scheme, the Web Agent reports error and it can't handle
the request :
[08/05/2019][05:10:22][2484][5060][SmKCC.cpp:111][SmKcc::getCredentials][<Transaction ID>][*10.0.0.2][][MyWebAgent][/myfederation/mykerberos.asp][][Kerberos Credential Cache login failed with service principal HTTP/myserver.example[email protected]
[6316] 1565004402.706001: Getting initial credentials for HTTP/myserver.example[email protected]
[6316] 1565004402.706002: Setting initial creds service to krbtgt/[email protected]
[6316] 1565004402.706003: Looked up etypes in keytab: rc4-hmac
[6316] 1565004402.706004: Sending request (196 bytes) to MYSERVER.EXAMPLE.COM
[6316] 1565004402.706005: Resolving hostname 10.0.0.1
[6316] 1565004402.706006: Sending initial UDP request to dgram 10.0.0.1:88
[6316] 1565004402.706007: Received answer from dgram 10.0.0.1:88
[6316] 1565004402.753000: Response was not from master KDC
[6316] 1565004402.753001: Received error from KDC: -1765328359/Additional pre-authentication required
[6316] 1565004402.753003: Processing preauth types: 16, 15, 11, 19, 2
[6316] 1565004402.753004: Selected etype info: etype rc4-hmac, salt "", params ""
[6316] 1565004402.753005: Retrieving HTTP/myserver.example[email protected] from FILE:C:\WINDOWS\mykeytab.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[6316] 1565004402.753006: AS key obtained for encrypted timestamp: rc4-hmac/508C
[6316] 1565004402.753008: Encrypted timestamp (for 1565004402.215195): plain ####, encrypted ####
[6316] 1565004402.753009: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[6316] 1565004402.753010: Produced preauth for next request: 2
[6316] 1565004402.753011: Sending request (272 bytes) to MYSERVER.EXAMPLE.COM
[6316] 1565004402.753012: Resolving hostname 10.0.0.1
[6316] 1565004402.753013: Sending initial UDP request to dgram 10.0.0.1:88
[6316] 1565004402.815000: Received answer from dgram 10.0.0.1:88
[6316] 1565004402.831000: Response was not from master KDC
[6316] 1565004402.831001: Received error from KDC: -1765328360/Preauthentication failed
How can we fix this ?
Release : 12.52
Component : SITEMINDER -WEB AGENT FOR IIS
Delegation is *required* for Kerberos authentication using SSO
Web Agent/Access Gateway and SSO Policy Server to work.
The delegation configuration is on the web agent/access gateway
account in Active Directory (in ADUC on Delegation tab). Choose to
delegate to specific services (this is constrained delegation) and
select the "smps/...@..." service name.
A recent update from Microsoft has disabled *unconstrained* delegation
so constrained delegation is now required.
That's why there's no alternate way to configure it from our
documentation.
Enabling delegation for the Web Agent solved the issue.