Getting IWA error in Proxy while using Kerberos as authentication mechanisam.
search cancel

Getting IWA error in Proxy while using Kerberos as authentication mechanisam.

book

Article ID: 414331

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

The customer was facing the issue while access the website as the proxy was sending the repetitive authentication requests and validation was getting failed. Hence the customer was not able to browse the internet.
Joining the AD domain again did not helped. Hence we took the HTTP debug logs
 
In the HTTP Debug log we are seeing the following logs 
 
 
tenant_id="5", case_number="test_probe_Test", sub_system="HTTP,AUTH", transaction_uuid="ac08676662dbaafa-0000000000019d35-0000000068ad6fa7", start_time="2025-08-26 08:26:15:869 UTC"
    HTTP CW 111E828EA40
        debug
            [Detect_h2_prior_knowledge_upgrade]
0000.002
            Detect_h2_prior_knowledge_upgrade - status from recvfromtimed_min(peek): 24
            HTTP/2 connection preface not detected, continuing as HTTP/1.x
            SET_FUNCTION_PTR: CW_Object::Read_request line: 584
            [Read_request]
            Reset Request_buf request_len to 0
            [Successfully_read_data]
            [Parse_request]
            Parse_request called. beg=1117400D000 end=1117400D5B4 length=1460
            Parse_request state=first-line
            [Convert_ws_to_http_request_line]
            [Find_protocol_start]
            Parse_request state=hdr-fields
            Parse_request in state=hdr-fields
0000.003
            Request header: Host: clientservices.example.com:443
 
            Request header: Proxy-Connection: keep-alive
 
            Request header: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0.0.0.0 Safari/537.36
 
            [Successfully_read_data]
            [Parse_request]
            Parse_request called. beg=1117400D0F8 end=1117400DB68 length=2672
            Parse_request state=hdr-fields
            Parse_request in state=hdr-fields
            [Successfully_read_data]
            [Parse_request]
            Parse_request called. beg=1117400D0F8 end=1117400E0FB length=4099
            Parse_request state=hdr-fields
            Parse_request in state=hdr-fields
            Request header: Proxy-Authorization: Negotiate YIIL4gYGKwYBBQUCoIIL1jCCC9KgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCC5wEgguYYIILlAYJKoZIhvcSAQICAQBugguDMIILf6ADAgEFoQMCAQ6iBwMFACAAAACjggmaYYIJljCCCZKgAwIBBaERGw9HRU8uQ09SUC5IQ0wu
            end-of-headers found
            [Copy_bytes_to_raw_headers_buf]
            [Parse_request_url]
            HTTP_Url::Parse_ex: HTTP CW 111E828EA40 Common_parse
            HTTP_Url::Parse_ex: HTTP CW 111E828EA40 Parse_auth_redirect
            HTTP_Url::Parse_ex: HTTP CW 111E828EA40 Parse_auth_query
            HTTP_Url::Parse_ex: HTTP CW 111E828EA40 Parse_patience_query
            HTTP_Url::Parse_ex: HTTP CW 111E828EA40 Parse_ex_complete
            hostname='clientservices.esampleapis.com', port='443', 
            [Need_more_request_body_data]
            No more data in request | new length:4347 | old length:4347
            SET_FUNCTION_PTR: CW_Object::Determine_flow line: 962
            [Determine_flow]
            ClassificationID: 8
            request from: XX.XX.XX.XX:56384, transaction_id: 529716, qualifier: http.proxy, method: CONNECT, URL: tcp://clientservices.exampleapis.com:443/
            [Handoff_local_service]
            Could not find secure-service by port=443
            Could not determine service for tcp://clientservices.exampleapis.com:443/
            POLICY: Evaluating PE_POLICY_CHECKPOINT_CLIENT_IN
    PDW t=529716 for=FDC002C0
            User_auth::Authenticate
 
            Not authenticated.
 
    libauthenticator.exe.so
            Authenticate IP, request: 10BA7673E00
 
    Authenticate stack extender
            B64 Cred: YIIL4gYGKwYBBQUCoIIL1jCCC9KgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCC5wEgguYYIILlAYJKoZIhvcSAQICAQBugguDMIILf6ADAgEFoQMCAQ6iBwMFACAAAACjggmaYYIJljCCCZKgAwIBBaERG
        error
            gss_accept_sec_context failed. Major: 0xD0000, Minor: 0x96C73A23(-1765328349). The ticket isn't for us
        debug
            Error 0x250208 from GSSAPI
    PDW t=529716 for=FDC002C0
            Realm Test_iwa, authenticate result 2425352
 
 

 

Cause

 
gss_accept_sec_context failed. Major: 0xD0000, Minor: 0x96C73A23 error indicates a general Kerberos-related issue where the server-side Kerberos authentication failed to accept a security context. The Minor: 0x96C73A23 likely translates to "Key table entry not found", suggesting that the system cannot find the correct Kerberos keytab file, which contains the keys needed to authenticate the service. This often happens when the keytab path is incorrect or the file itself is missing or corrupted.

Resolution

Resolution:
===========

- Clear credentials and set the credentials on the proxy

- Run the command from the CMD of the client machine, klist purge. The klist purge command deletes all cached Kerberos tickets on a Windows client machine, which is useful for troubleshooting authentication issues after a password change or domain transition. To use it, open an administrative command prompt and simply type klist purge, then press Enter. The command will clear the Kerberos ticket cache for the currently logged-in user, forcing the system to request new tickets. 

How to use klist purge command:

- Open: an administrative Command Prompt window.
- Type: the command klist purge.
- Press: Enter to execute the command.

Additional Information

Microsoft Reference link:
=========================
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-client-krb-ap-err-modified-error

Powered by Wolken Software