Request to Kerberos enabled webagent results in 500 error and 'Kerberos Credential Cache login failed with service' error message

book

Article ID: 50704

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Request to Kerberos enabled webagent results in 500 error due to credential cache not being initialized

[06/11/2010][14:51:43][2928][2732][0592a8c0-0b70-4c1293cf-0aac-01282047][SmKcc::getCredentials][Kerberos Credential Cache
login failed with service principal HTTP/[email protected]: Key table entry not found]

And

2928/2732][Fri Jun 11 2010 14:51:43][CSmCredentialManager.cpp:235][ERROR] HLA: Analyzer from module 'SM_WAF_HTTP_PLUGIN'
returned unknown response code '-1' for component 'Credential Manager'.
[2928/2732][Fri Jun 11 2010 14:51:43][CSmHighLevelAgent.cpp:873][ERROR] HLA: Component reported fatal error: 'Credential Manager'.

Solution:

Request to Kerberos enabled webagent results in 500 error. This was due to inappropriate encryption type.

Solution is to set the encryption type appropriately in Krb5.ini file. Configure a Kerberos configuration file (Krb5.ini) and place it in the windows system root path.

See the sample krb5.ini below:

[libdefaults]
default_realm = TEST.COM
default_keytab_name = C:\WINDOWS\wasrvwin2k3iis6.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
TEST.COM = {
kdc = winkdc.test.com:88
default_domain = TEST.COM
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM

Environment

Release:
Component: SMIIS