Kerberos Authentication failure in Windows 11 22 H2 machines
search cancel

Kerberos Authentication failure in Windows 11 22 H2 machines


Article ID: 254463


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER



Kerberos-based authentication is failing with client "Windows 11 22 H2" servers. The error message in the Access Gateway trace log is:

[Failed to create delegated GSSAPI token on behalf of HTTP/_host._example._com@EXAMPLE._COM for smps@_ps.example._com: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]

The problem occurs when Windows clients have been upgraded to Windows 11 22H2 release.




Policy Server: 12.8.x
Access Gateway: 12.8.x




Windows 11 22H2 enabled Credential Guard by default (1).

Credential Guard must be explicitly disabled to correct issues with SiteMinder Kerberos authentication.

The following DWORD registry keys must be set to 0 (see the section on disabling Credential Guard in the link above).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags=0 (DWORD)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags=0 (DWORD)

After setting the registry key, restart the system. The system should now authenticate to SiteMinder resources protected with the Kerberos authentication scheme.


Additional Information



    Manage Windows Defender Credential Guard