search cancel

Kerberos works intermittently and access gateway shows error "Failed to validate remote GSSAPI token"

book

Article ID: 189822

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Kerberos authentication is not working properly in production setup after weekend CA access gateway certificate change.
During failed authentication, users gets error 500 from browser,
CA access gateway agent trace log shows error "Failed to validate remote GSSAPI token".

Environment

Release : 12.8.03

Component : SITEMINDER SECURE PROXY SERVER

Cause

There could be two type of "Failed to validate remote GSSAPI token" error.

//This error below is expected occasionally, it is due to browser error trying negotiate ntlm token with CA access gateway configured to accept Kerberos token.
[04/27/2020][17:23:59][96275][139782836340480][18332083-2868aabc-c6f983f8-184c50cd-ee3e932e-a33][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[04/27/2020][17:23:59][96275][139782836340480][18332083-2868aabc-c6f983f8-184c50cd-ee3e932e-a33][SmKcc::getCredentials][token length before validating is 56]
[04/27/2020][17:23:59][96275][139782836340480][18332083-2868aabc-c6f983f8-184c50cd-ee3e932e-a33][SmKcc::getCredentials][Failed to validate remote GSSAPI token: Minor Status=0, Major Status=65536, Message=Unknown code 0]

//This error below is NOT expected. it is longer and most likely is a legit token.
[04/28/2020][10:02:01][30712][139887639860992][11475fcf-30072862-af7498f9-0fbae05a-4a793725-687][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[04/28/2020][10:02:01][30712][139887639860992][11475fcf-30072862-af7498f9-0fbae05a-4a793725-687][SmKcc::getCredentials][token length before validating is 2904]
[04/28/2020][10:02:01][30712][139887639860992][11475fcf-30072862-af7498f9-0fbae05a-4a793725-687][SmKcc::getCredentials][Failed to validate remote GSSAPI token: Minor Status=0, Major Status=851968, Message=Unknown code 0]

Apache logs can be collected to confirm the request, but it won't show any details on GSSAPI token processing.

However, the true cause turns up on policy server side, where two of the four policy servers were running with wrong user id, which triggers 'Kerberos' authentication scheme failed to initialize.

Resolution

Two Policy servers process were running as root, causes 'Kerberos' authentication scheme failed to initialize.Thus only some of the users intermittently affected.
CA access gateway certificate change is not related to the problem.