We're running a Web Agent and when user tries to login with Kerberos
Authentication Scheme, then the login fails and the Web Agent reports error :
to validate remote GSSAPI token: Minor Status=100005, Major
Status=851968, Message=Unknown code FF 165]
 1570561665.997005: Retrieving
HTTP/[email protected] from
FILE:C:\WINDOWS\krb5.keytab (vno 16, enctype rc4-hmac) with
result: -1765328154/Key version number for principal in key table is
How can we fix this ?
Release : 12.52
Component : SITEMINDER -WEB AGENT FOR IIS
The system hosts file
had the FQDN of a specific Web Server pointing to the Loadbalancer IP,
not the Loadbalancer FQDN itself. This causes a problem as the SPN for
the HTTP Service account is set with the Loadbalancer FQDN. The
kerberos call were done to the Web Server FQDN instead of the
Once an entry is set in the hosts file, then the Windows DNS cache get
filled for A and PTR with the entry from the hosts file, not fom the DNS
server. As such, the cache had A and PTR values from this hosts entry.
The cache values can be obtained by running command :
c:\> ipconfig /displaydns
The DNS cache should have the Loadbalancer FQDN and its IP instead of
the Web Server FQDN pointing to the same IP.
Removing the entry from the hosts file
and letting the DNS server doing the name resolution solved the issue.