search cancel

Kerberos Authentication failure in Windows 11 22 H2 machines

book

Article ID: 254463

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Kerberos based authentication is failing with client "Windows 11 22 H2" servers. Error message in the Access Gateway trace log is:

[Failed to create delegated GSSAPI token on behalf of HTTP/[email protected] for [email protected]: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]

Problem occurs when Windows client have been upgraded to Windows 11 22H2 release.

Environment

Policy Server: 12.8.x
Access Gateway: 12.8.x

Resolution

Windows 11 22H2 enabled Credential Guard by default: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage

Credential Guard must be explicitly disabled to correct issues with SiteMinder Kerberos authentication.

The following DWORD registry keys must be set to 0 (see the section on disabling Credential Guard in the link above).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags=0 (DWORD)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags=0 (DWORD)

After setting the registry key, restart the system. The system should now successfully authenticate to SiteMinder resources protected with the Kerberos authentication scheme.