ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cannot contact any KDC for requested realm

book

Article ID: 122165

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running CA Access Gateway (SPS) and when users try to
authenticate with Kerberos authentication scheme, they cannot login
because the CA Access Gateway (SPS) seems to not be able to contact
the KDC :

  [11/29/2018][18:22:50][2308][5204][23a92ace-31f0175a-
  738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][token
  length before validating is 5368]

  [11/29/2018][18:22:55][2308][5204][23a92ace-31f0175a-
  738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][Failed
  to create delegated GSSAPI token on behalf of
  HTTP/[email protected] for [email protected]: Minor
  Status=-1765328228, Major Status=851968, Message=Cannot contact any
  KDC for requested realm]

How can we fix this ?

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

  Modify the krb5.ini on CA Access Gateway (SPS) and Policy Server in order to point
  to another KDC as the current one was corrupted and doesn't answer
  anymore. This solved the issue.

  To illustrate :

  Change KDC1.mydomain.com to KDC2.mydomain.com

  from 

  [realms] 
  MYDOMAIN.COM = { 
  kdc = KDC1.mydomain.com 
  default_domain = mydomain.com
  } 

  to

  [realms] 
  MYDOMAIN.COM = { 
  kdc = KDC2.mydomain.com 
  default_domain = mydomain.com
  } 

  Restart the CA Access Gateway (SPS) and the Policy Server services after the changes