search cancel

Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)


Article ID: 186956


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


  • When use "Require Windows Integrated Authentication Credentials" Assertion along with the Authorization Context Variables  "" to extract the user name from the kerberos ticket, it's empty.
  • After enable kerberos debug, it shows,
         STDOUT: >>> KrbApReq: authenticate succeed.
  • No other error in ssg log.
  • After change the log level to FINE, it shows following error,
         "Unable to extract kerberos authorization data from the kerberos ticket: Malformed PAC logon info."

To enable kerberos debug, refer to,

To change log level, refer to product document, (change both log.level cluster-wide property, and the threshold of the ssg log sink)


Release : 9.3, 9.4, 10, 10cr01

Component : Integration with APM


The gateway currently doesn't support compressed kerberos token, but from windows server 2012, Kerberos Token compression is enabled by default.


Turn off kerberos compression on KDC, the solution is on MS website,

Additional Information