Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)

search cancel

Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)

book

Article ID: 186956

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

When use "Require Windows Integrated Authentication Credentials" Assertion along with the Authorization Context Variables "kerberos.data.authorizations.0.pac.logoninfo.user.name" to extract the user name from the kerberos ticket, it's empty.
After enable kerberos debug, it shows,

STDOUT: >>> KrbApReq: authenticate succeed.

No other error in ssg log.
After change the log level to FINE, it shows following error,

"Unable to extract kerberos authorization data from the kerberos ticket: Malformed PAC logon info."

To enable kerberos debug, refer to,
Enable Kerberos debug on CA APIM layer7 gateway

To change log level, refer to product document, (change both log.level cluster-wide property, and the threshold of the ssg log sink)
Gateway Logging Levels and Thresholds

Environment

Release : All supported gateway versions

Component : Integration with APM

Cause

The gateway currently doesn't support compressed kerberos token, but from windows server 2012, Kerberos Token compression is enabled by default.

Resolution

Turn off kerberos compression on KDC, the solution is on MS website,
https://support.microsoft.com/en-us/help/2774190/resource-sid-compression-in-windows-server-2012-may-cause-authorization

Additional Information

https://stackoverflow.com/questions/28221440/malformed-pac-logon-info-on-new-kerberostoken

Enable Kerberos debug on CA APIM layer7 gateway

Feedback

thumb_up Yes

thumb_down No