Web Agent kerberos permission denied

book

Article ID: 118667

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

I'm running Web Agent, which protects a resource with Kerberos
Authentication scheme, and suddenly, the authentication doesn't work
anymore and the Web Agent reports error :


@ Sun, 30 Sep 2018 02:09:41 +000 

[2467] 1538273381.162330: Getting initial credentials for 
HTTP/[email protected] 

[2467] 1538273381.162602: Setting initial creds service to 
krbtgt/[email protected] 

[2467] 1538273381.162700: Couldn't lookup etypes in keytab: 
13/Permission denied 

[...] 

[2467] 1538273381.260416: Retrieving 
HTTP/[email protected] from 
FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result: 
13/Permission denied 

[2467] 1538273381.260425: Preauth module encrypted_timestamp (2) 
(flags=1) returned: 13/Permission denied 

How can I fix this ?

Cause

We noted that the Web Agent OS date and time was in the future.

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

We changed the time back two days ago by restarting the ntp client on 
the machine and the network clock set it as per the other machines to 
Fri, 28 Sep 2018 11:47:01 +0000, and the permission denied issue 
disapeared. 

[2936] 1538135221.803975: Selected etype info: etype rc4-hmac, salt 
"", params "" 

[2936] 1538135221.804095: Retrieving 
HTTP/[email protected] from 
FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result: 0/Success 

[2936] 1538135221.804186: AS key obtained for encrypted timestamp: 
rc4-hmac/3086