Kerberos Authentication failure in Windows 11 22 H2 machines
search cancel

Kerberos Authentication failure in Windows 11 22 H2 machines


Article ID: 254463


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder)


Kerberos based authentication is failing with client "Windows 11 22 H2" servers. Error message in the Access Gateway trace log is:

[Failed to create delegated GSSAPI token on behalf of HTTP/[email protected] for [email protected]: Minor Status=-1765328371, Major Status=851968, Message=KDC can't fulfill requested option]

Problem occurs when Windows client have been upgraded to Windows 11 22H2 release.


Policy Server: 12.8.x
Access Gateway: 12.8.x


Windows 11 22H2 enabled Credential Guard by default:

Credential Guard must be explicitly disabled to correct issues with SiteMinder Kerberos authentication.

The following DWORD registry keys must be set to 0 (see the section on disabling Credential Guard in the link above).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags=0 (DWORD)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags=0 (DWORD)

After setting the registry key, restart the system. The system should now successfully authenticate to SiteMinder resources protected with the Kerberos authentication scheme.