Error : Policy Server failed to validate Message=Wrong principal in request in Kerberos Authentication
search cancel

Error : Policy Server failed to validate Message=Wrong principal in request in Kerberos Authentication

book

Article ID: 138378

calendar_today

Updated On: 10-18-2023

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and when this one tries to authenticate
user by kerberos authentication scheme, then the Policy Server reports
error :

   Message=Wrong principal in request

The Web Agent and Policy Server traces report the following :

WebAgentTrace.log :

  [08/22/2019][23:06:30][6940][4948][SmKCC.cpp:195][SmKcc::getCredentials]
  [0000000000000000000000008b260b0a-1b1c-5d5f8265-1354-0271530b][*10.0.0.1]
  [][myagent][/mykerberos/index.html][]
  [Token length is greater than usual password string,
  using variable length buffer (length = 3704, asciiEncodedLen = 4941)]

  [08/22/2019][23:06:30][6940][4948][CSmLowLevelAgent.cpp:1346][AuthenticateUser]
  [0000000000000000000000008b260b0a-1b1c-5d5f8265-1354-0271530b]
  [*10.0.0.1][][myagent][/mykerberos/index.html][]
  [User 'myuser@MYSERVER.MYDOMAIN.COM' is not authenticated by Policy Server.]

smtracedefault.log :

  [08/22/2019][23:06:30.293][23:06:30][5940][6280][smauthkerberos.cpp:474]
  [SmAuthenticate][][][][][][][][][][][][][][][][][][][][]
  [Failed to validate user myuser@MYSERVER.MYDOMAIN.COM:
  Minor Status=2529639056, Major Status=851968, Message=Wrong principal in request]

smps.log :

  [5940/2944][Thu Aug 22 2019 23:06:29][SmAuthServer.cpp:335][INFO][sm-Server-02750]
  Loaded authentication scheme Siteminder Kerberos Authentication. Version 768 .
  SiteMinder (TM) Kerberos Authentication Scheme

  [5940/6280][Thu Aug 22 2019 23:06:30][SmAuthServer.cpp:364][INFO][sm-Server-02760]
  Initialized authentication scheme Siteminder Kerberos Authentication

and the user is not authenticated.

 

Environment

 

  Web Agent 12.52SP1CR09 on IIS 8.5 on Windows 2012R2;
  Policy Server 12.8SP1CR00 on Windows 2012R2;
  Active Directory 2012R2;

 

Resolution

 

  1. Set only 1 SPN to the Active Directory user for the Web Agent;

  2. Set enabling "constrained delegation" on the Web Agent account
     configuration and set it to Policy Server service account;

  3. Make sure that Chrome has AuthServerAllowlist and
     AuthNegotiateDelegateAllowlist configured (1);

This will solve the issue at the Policy Server level and user will be
able to login.

 

Additional Information

 

(1)

    Kerberos Troubleshooting

      Chrome/Chromium
      
        Verify that both the AuthServerWhitelist and
        AuthNegotiateDelegateWhitelist settings are configured. After
        Google Chrome 86 these settings were renamed to
        AuthServerAllowlist and AuthNegotiateDelegateAllowlist.

        These setting names are case sensitive.
    
    https://community.broadcom.com/communities/community-home/librarydocuments/viewdocument?DocumentKey=bc3b8de9-fe6a-4394-94b4-4d549a943ab0

 

Powered by Wolken Software