search cancel

Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)

book

Article ID: 186956

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

  • When use "Require Windows Integrated Authentication Credentials" Assertion along with the Authorization Context Variables  "kerberos.data.authorizations.0.pac.logoninfo.user.name" to extract the user name from the kerberos ticket, it's empty.
  • After enable kerberos debug, it shows,
         STDOUT: >>> KrbApReq: authenticate succeed.
  • No other error in ssg log.
  • After change the log level to FINE, it shows following error,
         "Unable to extract kerberos authorization data from the kerberos ticket: Malformed PAC logon info."


To enable kerberos debug, refer to,
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=141612

To change log level, refer to product document, (change both log.level cluster-wide property, and the threshold of the ssg log sink)
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/administer-the-gateway/gateway-logging-levels-and-thresholds.html

Environment

Release : 9.3, 9.4, 10, 10cr01

Component : Integration with APM

Cause

The gateway currently doesn't support compressed kerberos token, but from windows server 2012, Kerberos Token compression is enabled by default.

Resolution

Turn off kerberos compression on KDC, the solution is on MS website,
https://support.microsoft.com/en-us/help/2774190/resource-sid-compression-in-windows-server-2012-may-cause-authorization

Additional Information

https://stackoverflow.com/questions/28221440/malformed-pac-logon-info-on-new-kerberostoken

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=141612

https://support.microsoft.com/en-us/help/2774190/resource-sid-compression-in-windows-server-2012-may-cause-authorization