Kerberos Credential Cache login failed with the service in the Kerberos enabled Web Agent, resulting in 500 errors
Article ID: 50704
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign-On
CA Single Sign On Agents (SiteMinder)
SITEMINDER
Issue/Introduction
Request to Kerberos-enabled Web Agent results in 500 errors due to the credential cache not being initialized.
webagent.trace:
[06/11/2010][14:51:43][2928][2732][][SmKcc::getCredentials][Kerberos Credential Cache login failed with service principal HTTP/[email protected]: Key table entry not found]
and
webagent.log:
[2928/2732][Fri Jun 11 2010 14:51:43][CSmCredentialManager.cpp:235][ERROR] HLA: Analyzer from module 'SM_WAF_HTTP_PLUGIN' returned unknown response code '-1' for component 'Credential Manager'.
[2928/2732][Fri Jun 11 2010 14:51:43][CSmHighLevelAgent.cpp:873][ERROR] HLA: Component reported fatal error: 'Credential Manager'.
Resolution
Request to Kerberos enabled Web Agent results in 500 error.
This was due to an inappropriate encryption type.
Solution is to set the encryption type appropriately in the Krb5.ini file.
Configure a Kerberos configuration file (Krb5.ini) and place it in the Windows system root path.
See the sample krb5.ini below:
[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = C:\WINDOWS\keytab.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = winkdc.example.com:88
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Feedback
Yes
No
Powered by
