Running Web Agent, at the Kerberos authentication scheme, the browser receives the error:

"Unknown Reason - This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."

and the Web Agent reports the error:

Kerberos Credential Cache login failed with service principal HTTP/at10555-internal-sso-system-2.gslb.ubsdev.net@UBSPROD.MSAD.UBS.NET: Pre-authentication failed: Permission denied  

The Web Agent operating system has been upgraded from RedHat 7 to RedHat 8.

  Policy Server 12.8SP7 on RedHat 8;
  Web Agent 12.52SP1CR11 on Apache 2.4.57 on RedHat 8;

From internet investigation, it seems that there are modifications among the allowed encryption from RedHat 8 (1).

The krb5.conf has no default_tkt_enctypes and default_tgs_enctypes defined, so there might be advisable to configure them, along with the allow_weak_crypto and permitted_enctypes settings (2)(3).

Depending on the Active Directory version that is running, run the command

update-crypto-policies --set DEFAULT:AD-SUPPORT

on the hosts to "enable the deprecated RC4 encryption type for backwards compatibility with AD." (4).

Review and consult the OS vendor, and use the configuration mentioned above to solve the issue.

1. RHEL 8.3 KDC has no support for encryption type
   
   
2. krb5.conf
   
   
3. 3DES and RC4 disabled in Kerberos
   
   
4. Bug 2005277 - Write a release note for "krb5 now only requests permitted encryption types"