Kerberos Authentication failure in Windows 11 22 H2 machines
search cancel

Kerberos Authentication failure in Windows 11 22 H2 machines

book

Article ID: 254463

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

Kerberos-based authentication is failing with client "Windows 11 22 H2" servers. The error message in the Access Gateway trace log is:

[Failed to create delegated GSSAPI token on behalf of HTTP/_host._example._com@EXAMPLE._COM for smps@_ps.example._com: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]

The problem occurs when Windows clients have been upgraded to Windows 11 22H2 release.

 

Environment

 

Policy Server: 12.8.x
Access Gateway: 12.8.x

 

Resolution

 

Windows 11 22H2 enabled Credential Guard by default (1).

Credential Guard must be explicitly disabled to correct issues with SiteMinder Kerberos authentication.

The following DWORD registry keys must be set to 0 (see the section on disabling Credential Guard in the link above).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags=0 (DWORD)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags=0 (DWORD)

After setting the registry key, restart the system. The system should now authenticate to SiteMinder resources protected with the Kerberos authentication scheme.

 

Additional Information

 

(1)

    Manage Windows Defender Credential Guard