search cancel

CA Access Gateway (SPS) Kerberos Authentication reports error : Message=Unknown code FF 165

book

Article ID: 8759

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running CA Access Gateway (SPS), and when our browser reach the Kerberos Authentication Scheme, the Agent cannot authenticate the user because it cannot get the token for [email protected] :

  Failed to create delegated GSSAPI token on behalf of HTTP/[email protected] for [email protected]: Minor Status=100005, Major tatus=851968, Message=Unknown code FF 165 

How can we solve this issue?

 

Cause

The issue was caused as user was accessing kerberos authentication using a virtual host, which is defined on a domain (.myotherdomain.local) different of the kerberos domain (.internal.local). The kerberos domain requested should match the one defined in the krb5.ini file.

 

Environment

Policy Server 12.6SP1 on Windows 2012R2 SPS 12.6SP1 on Windows 2012R2 Policy Store on CA Directory 12.6 RDC on Active Directory 2012R2 all machine in the same Windows domain internal.local

Resolution

In order to solve this issue you have to define and use the kerberos authentication on the same domain (.internal.local) as defined in the krb5.ini file.