Kerberos authorization resulted in status 401 Authentication required
Article ID: 404142
Updated On:
Products
Issue/Introduction
Multiple users are receiving errors when trying to authenticate
ssg log file shows Messages:
2025-07-03T14:52:06.343-0700 WARNING 52595 com.l7tech.server.policy.assertion.credential.http.ServerHttpNegotiate: 8200: Could not process Kerberos token (Negotiate);
error is 'KrbException: Incorrect net address (38)'
2025-07-03T14:52:06.343-0700 INFO 52595 com.l7tech.server.policy.assertion.credential.http.ServerHttpNegotiate: 4100: Authentication required
2025-07-03T14:52:06.343-0700 INFO 52595 com.l7tech.server.MessageProcessor: 3017: Policy evaluation for service AuthorizationService
[f65eb758c8df3332000000000010800e] resulted in status 401 (Authentication Required)
2025-07-03T14:52:06.343-0700 WARNING 52595 com.l7tech.server.message: Message was not processed: Authentication Required (401)
2025-07-07T12:16:29.521-0700 INFO 717 STDOUT: >>> KrbApReq: initiator is /999.999.999.999, but caddr is []
Recently patch, KB5060531, was applied to all Domain Controllers.
Environment
CA API Gateway 11.0
Windows Server 2019 with AD forest functional level 2016
Cause
Wrong registry on Active Directory server side
Resolution
1. Identified a problematic registry on AD
2. Remove problematic registry from AD.
2. Perform “klist purge” to clear all cached Kerberos tickets from the callers.
Additional Information
Feedback
