Error : Policy Server failed to validate Message=Wrong principal in request in Kerberos Authentication
search cancel

Error : Policy Server failed to validate Message=Wrong principal in request in Kerberos Authentication


Article ID: 138378


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Policy Server and when this one tries to authenticate
user by kerberos authentication scheme, then the Policy Server reports
error :

   Message=Wrong principal in request

The Web Agent and Policy Server traces report the following :

WebAgentTrace.log :

  [Token length is greater than usual password string,
  using variable length buffer (length = 3704, asciiEncodedLen = 4941)]

  [User '[email protected]' is not authenticated by Policy Server.]

smtracedefault.log :

  [Failed to validate user [email protected]:
  Minor Status=2529639056, Major Status=851968, Message=Wrong principal in request]

smps.log :

  [5940/2944][Thu Aug 22 2019 23:06:29][SmAuthServer.cpp:335][INFO][sm-Server-02750]
  Loaded authentication scheme Siteminder Kerberos Authentication. Version 768 .
  SiteMinder (TM) Kerberos Authentication Scheme

  [5940/6280][Thu Aug 22 2019 23:06:30][SmAuthServer.cpp:364][INFO][sm-Server-02760]
  Initialized authentication scheme Siteminder Kerberos Authentication

and the user is not authenticated.




  Web Agent 12.52SP1CR09 on IIS 8.5 on Windows 2012R2;
  Policy Server 12.8SP1CR00 on Windows 2012R2;
  Active Directory 2012R2;




  1. Set only 1 SPN to the Active Directory user for the Web Agent;

  2. Set enabling "constrained delegation" on the Web Agent account
     configuration and set it to Policy Server service account;

  3. Make sure that Chrome has AuthServerAllowlist and
     AuthNegotiateDelegateAllowlist configured (1);

This will solve the issue at the Policy Server level and user will be
able to login.


Additional Information



    Kerberos Troubleshooting

        Verify that both the AuthServerWhitelist and
        AuthNegotiateDelegateWhitelist settings are configured. After
        Google Chrome 86 these settings were renamed to
        AuthServerAllowlist and AuthNegotiateDelegateAllowlist.

        These setting names are case sensitive.