ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)


Article ID: 186956


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


  • When use "Require Windows Integrated Authentication Credentials" Assertion along with the Authorization Context Variables  "" to extract the user name from the kerberos ticket, it's empty.
  • After enable kerberos debug, it shows,
         STDOUT: >>> KrbApReq: authenticate succeed.
  • No other error in ssg log.
  • After change the log level to FINE, it shows following error,
         "Unable to extract kerberos authorization data from the kerberos ticket: Malformed PAC logon info."

To enable kerberos debug, refer to,

To change log level, refer to product document, (change both log.level cluster-wide property, and the threshold of the ssg log sink)


The gateway currently doesn't support compressed kerberos token, but from windows server 2012, Kerberos Token compression is enabled by default.


Release : 9.3, 9.4, 10, 10cr01

Component : Integration with APM


Turn off kerberos compression on KDC, the solution is on MS website,

Additional Information