We're running a Web Agent and when user tries to login with Kerberos

Authentication Scheme, then the login fails and the Web Agent reports error :

  [10/08/2019][12:07:46][2780][4500][SmKCC.cpp:139][SmKcc::getCredentials]

  [0000000000000000000000008b260b0a-0adc-5d9cde81-1194-030a3a72][*10.0.0.

  1][][mywebagent][/federation/kerberos.asp][][Failed

  to validate remote GSSAPI token: Minor Status=100005, Major

  Status=851968, Message=Unknown code FF 165]

  [2780] 1570561665.997005: Retrieving

  HTTP/[email protected] from

  FILE:C:\WINDOWS\krb5.keytab (vno 16, enctype rc4-hmac) with

  result: -1765328154/Key version number for principal in key table is

  incorrect

How can we fix this ?

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR IIS

The system hosts file 

  C:\windows\system32\drivers\etc\hosts

had the FQDN of a specific Web Server pointing to the Loadbalancer IP,

not the Loadbalancer FQDN itself. This causes a problem as the SPN for

the HTTP Service account is set with the Loadbalancer FQDN. The

kerberos call were done to the Web Server FQDN instead of the

Loadbalancer one.

Once an entry is set in the hosts file, then the Windows DNS cache get

filled for A and PTR with the entry from the hosts file, not fom the DNS

server. As such, the cache had A and PTR values from this hosts entry.

The cache values can be obtained by running command :

  c:\> ipconfig /displaydns

The DNS cache should have the Loadbalancer FQDN and its IP instead of

the Web Server FQDN pointing to the same IP.

Removing the entry from the hosts file

  C:\windows\system32\drivers\etc\hosts

and letting the DNS server doing the name resolution solved the issue.