IWA authentication using Kerberos stopped working after joining the Domain (Unmapped Error / Cannot decrypt ticket as per LSA/debug)
search cancel

IWA authentication using Kerberos stopped working after joining the Domain (Unmapped Error / Cannot decrypt ticket as per LSA/debug)

book

Article ID: 280575

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

In newer EdgeSWG releases (7.3.16.2 or later), when EdgeSWG joins the Domain or rejoins the Domain, we set up machine account's 'msDs-SupportedEncryption Types' to 28 (under 'eTypte properties'. That means we are enabling AES encryption type. Unfortunately, there is an issue if the 'SG hostname' or machine account name is greater than 15 characters which is the Windows max limit for the NetBios computer name characters; EdgeSWG fails to decrypt the AES encrypted tickets.

               

Cause

This issue has been investigated via the defect/bug below:

SG-38097 - Proxies failing to decrypt Kerberos tickets

Resolution

The fix for the defect/bug has been added in SGOS version 7.3.19.1. Upgrading to 7.3.19.1 or above should resolve this issue.

 You can use the following workarounds as well:

1. Change the 'SG hostname' to less than 15 characters and join/rejoin the Domain.

or

2. Change ‘msDS-SupportedEncryption Types’ to 0x0 or clear to <not set> (under 'etype properties) in AD. Logout and login, reboot or ‘klist purge’ on the client machine; the client machine will now get RC4 encrypted tickets and it will work. Change the above settings in AD for the machine account, do not rejoin EdgeSWG to the domain or else it will change the 'etype properties' setting again).

 

Additional Information

Note: You may run into similar issue if your 'Load-balanced Kerberos Service Account_Name' is greater than 20 characters. This has been fixed in 7.3.19.1 and above.

Workaround is:

1. To have a shorter 'Load-balanced Kerberos Service Account_Name', then Reset the LB-Service_account password (in AD). Then Run the command below on EdgeSWG: 

'kerberos-user <LB_Service_AccountName> <password>'

or

2. Do not change the 'Load-balanced Kerberos Service Account_Name' but use RC4 encryption type instead of AES.

a. Change ‘msDS-SupportedEncryption Types’ to 0x0 or clear to <not set> (under 'etype properties).

b. You may also want to check/disable AES in the 'Account' tab.

c. Reset the LB-Service_account password (in AD).

d. Run the command below on EdgeSWG: 

'kerberos-user <LB_Service_AccountName> <password>'

Powered by Wolken Software