Kerberos is failing with Failed to validate remote GSSAPI token: Minor Status=0, Major Status=851968, Message=Unknown code 0]
Article ID: 204143
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a Web Agent and when user tries to login through
Kerberos Authentication Scheme, the Web Agent fails and report error :
[08/17/2020][22:59:03][7068][6460][SmKCC.cpp:124][SmKcc::getCredentials]
[000000000000000000000000d5d6130a-1b9c-4sd4ds11dd-ssd-024a47cb][*10.0.0.1]
[][fmsissopfs02][/myapp/mypage/mypage.html][][token
length before validating is 7408]
[08/17/2020][22:59:09][7068][6460][SmKCC.cpp:139][SmKcc::getCredentials]
[000000000000000000000000d5d6130a-1b9c-4sd4ds11dd-ssd-024a47cb][*10.0.0.1]
[][fmsissopfs02][/myapp/mypage/mypage.html][]
[Failed to validate remote GSSAPI token: Minor Status=0, Major Status=851968, Message=Unknown code 0]
We noted that this issue happens randomly. When it happens user never
gets access until we restart the IIS Web Server on which the Web Agent
runs.
How can we fix that ?
Environment
WebAgent 12.52SP1CR09 on IIS 8.5 on Windows 2012R2 (IP 10.9.177.2);
Policy Server: 12.8SP3 on Windows 2012R2;
KDC on Active Directory 2012R2;
Resolution
- In the krb5.ini :
Set the following with that syntax :
default_ccache_name = FILE:C:\mypathtokrb5ccfile\krb5cc_%{uid}
Parameter expansion
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#parameter-expansion
Set the default_client_keytab_name to the same value as default_keytab_name;
- Upgrade Web Agent to 12.52SP1CR11 as kerberos is upgaded to 1.16 and
this version provides the specific krbcc64.dll to manage the cache.
Feedback
Yes
No
Powered by
