search cancel

CA Access Gateway (SPS) Kerberos Authentication reports error : Message=Unknown code FF 165


Article ID: 8759


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We're running CA Access Gateway (SPS), and when our browser reach the Kerberos Authentication Scheme, the Agent cannot authenticate the user because it cannot get the token for [email protected] :

  Failed to create delegated GSSAPI token on behalf of HTTP/[email protected] for [email protected]: Minor Status=100005, Major tatus=851968, Message=Unknown code FF 165 

How can we solve this issue?



The issue was caused as user was accessing kerberos authentication using a virtual host, which is defined on a domain (.myotherdomain.local) different of the kerberos domain (.internal.local). The kerberos domain requested should match the one defined in the krb5.ini file.



Policy Server 12.6SP1 on Windows 2012R2 SPS 12.6SP1 on Windows 2012R2 Policy Store on CA Directory 12.6 RDC on Active Directory 2012R2 all machine in the same Windows domain internal.local


In order to solve this issue you have to define and use the kerberos authentication on the same domain (.internal.local) as defined in the krb5.ini file.