Kerberos based authentication is failing with client "Windows 11 22 H2" servers. Error message in the Access Gateway trace log is:
[Failed to create delegated GSSAPI token on behalf of HTTP/[email protected] for [email protected]: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]
Problem occurs when Windows client have been upgraded to Windows 11 22H2 release.
Policy Server: 12.8.x
Access Gateway: 12.8.x
Windows 11 22H2 enabled Credential Guard by default: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
Credential Guard must be explicitly disabled to correct issues with SiteMinder Kerberos authentication.
The following DWORD registry keys must be set to 0 (see the section on disabling Credential Guard in the link above).
After setting the registry key, restart the system. The system should now successfully authenticate to SiteMinder resources protected with the Kerberos authentication scheme.