Unable to Extract KerberosEncData from compressed kerberos token (CA API Gateway)

book

Article ID: 186956

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

  • When use "Require Windows Integrated Authentication Credentials" Assertion along with the Authorization Context Variables  "kerberos.data.authorizations.0.pac.logoninfo.user.name" to extract the user name from the kerberos ticket, it's empty.
  • After enable kerberos debug, it shows,
         STDOUT: >>> KrbApReq: authenticate succeed.
  • No other error in ssg log.
  • After change the log level to FINE, it shows following error,
         "Unable to extract kerberos authorization data from the kerberos ticket: Malformed PAC logon info."


To enable kerberos debug, refer to,
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=141612

To change log level, refer to product document, (change both log.level cluster-wide property, and the threshold of the ssg log sink)
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/administer-the-gateway/gateway-logging-levels-and-thresholds.html

Cause

The gateway currently doesn't support compressed kerberos token, but from windows server 2012, Kerberos Token compression is enabled by default.

Environment

Release : 9.3, 9.4, 10, 10cr01

Component : Integration with APM

Resolution

Turn off kerberos compression on KDC, the solution is on MS website,
https://support.microsoft.com/en-us/help/2774190/resource-sid-compression-in-windows-server-2012-may-cause-authorization

Additional Information

https://stackoverflow.com/questions/28221440/malformed-pac-logon-info-on-new-kerberostoken

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=141612

https://support.microsoft.com/en-us/help/2774190/resource-sid-compression-in-windows-server-2012-may-cause-authorization