Kerberos Authentication Failure

book

Article ID: 195995

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Client environment is fully windows based which includes client workstation, Access Gateway, Policy Server and Active Directory. Using Kerberos to fulfill the Integrated Windows Authentication requirement.

After configuring everythin, we still cannot get Kerberos authentication to work.

I can see the following in our web agent trace file

[07/25/2020][11:46:24.729][7300][39388][SmKCC.cpp:443][SmKcc::getCredentials][b1b2e0bd-697116c6-96bcda26-307d31a0-9289f78b-0][][sdi-int-agent][/showrequestheaderkrb.jsp][][][showrequestheaderkrb-test-internal][][][][][][][][][ †š¥J][][][][][][Failed to create delegated GSSAPI token on behalf of HTTP/<WEBSERVER-NAME>@<KERBEROS-REALM> for <USER>: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]

Using chrome and Microsoft Edge browsers.

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

For chrome, need to set:

AuthNegotiateDelegateWhitelist

https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

For Edge the same parameter is:

AuthNegotiateDelegateAllowlist

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#authnegotiatedelegateallowlist

Additional Information

https://community.broadcom.com/communities/community-home/librarydocuments/viewdocument?DocumentKey=bc3b8de9-fe6a-4394-94b4-4d549a943ab0#jive_content_id_Internet_Explorer