kerberos Preauthentication failed
search cancel

kerberos Preauthentication failed


Article ID: 137632


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER


We're running a Web Agent and when it processes kerberos

authentication scheme, the Web Agent reports error and it can't handle

the request :


  [08/05/2019][05:10:22][2484][5060][SmKCC.cpp:111][SmKcc::getCredentials][<Transaction ID>][*][][MyWebAgent][/myfederation/mykerberos.asp][][Kerberos Credential Cache login failed with service principal HTTP/myserver.example[email protected]


  [6316] 1565004402.706001: Getting initial credentials for HTTP/myserver.example[email protected]

  [6316] 1565004402.706002: Setting initial creds service to krbtgt/[email protected]

  [6316] 1565004402.706003: Looked up etypes in keytab: rc4-hmac

  [6316] 1565004402.706004: Sending request (196 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.706005: Resolving hostname

  [6316] 1565004402.706006: Sending initial UDP request to dgram

  [6316] 1565004402.706007: Received answer from dgram

  [6316] 1565004402.753000: Response was not from master KDC

  [6316] 1565004402.753001: Received error from KDC: -1765328359/Additional pre-authentication required

  [6316] 1565004402.753003: Processing preauth types: 16, 15, 11, 19, 2

  [6316] 1565004402.753004: Selected etype info: etype rc4-hmac, salt "", params ""

  [6316] 1565004402.753005: Retrieving HTTP/myserver.example[email protected] from FILE:C:\WINDOWS\mykeytab.keytab (vno 0, enctype rc4-hmac) with result: 0/Success

  [6316] 1565004402.753006: AS key obtained for encrypted timestamp: rc4-hmac/508C

  [6316] 1565004402.753008: Encrypted timestamp (for 1565004402.215195): plain ####, encrypted ####

  [6316] 1565004402.753009: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success

  [6316] 1565004402.753010: Produced preauth for next request: 2

  [6316] 1565004402.753011: Sending request (272 bytes) to MYSERVER.EXAMPLE.COM

  [6316] 1565004402.753012: Resolving hostname

  [6316] 1565004402.753013: Sending initial UDP request to dgram

  [6316] 1565004402.815000: Received answer from dgram

  [6316] 1565004402.831000: Response was not from master KDC

  [6316] 1565004402.831001: Received error from KDC: -1765328360/Preauthentication failed


How can we fix this ?



Release : 12.52



Delegation is *required* for Kerberos authentication using SSO

Web Agent/Access Gateway and SSO Policy Server to work.

The delegation configuration is on the web agent/access gateway

account in Active Directory (in ADUC on Delegation tab). Choose to

delegate to specific services (this is constrained delegation) and

select the "smps/...@..." service name.

A recent update from Microsoft has disabled *unconstrained* delegation

so constrained delegation is now required.

That's why there's no alternate way to configure it from our



Enabling delegation for the Web Agent solved the issue.