Patrick-Dussault

Tech Tip : CA Single Sign-On : Web Agent kerberos permission denied

Discussion created by Patrick-Dussault Employee on Oct 30, 2018

Issue:


I'm running Web Agent, which protects a resource with Kerberos
Authentication scheme, and suddenly, the authentication doesn't work
anymore and the Web Agent reports error :

 

@ Sun, 30 Sep 2018 02:09:41 +000

 

[2467] 1538273381.162330: Getting initial credentials for
HTTP/duspa01-u171282.training.com@TRAINING.COM

 

[2467] 1538273381.162602: Setting initial creds service to
krbtgt/TRAINING.COM@TRAINING.COM

 

[2467] 1538273381.162700: Couldn't lookup etypes in keytab:
13/Permission denied

 

[...]

 

[2467] 1538273381.260416: Retrieving
HTTP/duspa01-u171282.training.com@TRAINING.COM from
FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result:
13/Permission denied

 

[2467] 1538273381.260425: Preauth module encrypted_timestamp (2)
(flags=1) returned: 13/Permission denied

 

How can I fix this ?

 

Cause:

 

 

We noted that the Web Agent OS date and time was in the future.

 

Resolution:

 

We changed the time back two days ago by restarting the ntp client on
the machine and the network clock set it as per the other machines to
Fri, 28 Sep 2018 11:47:01 +0000, and the permission denied issue
disapeared.

 

[2936] 1538135221.803975: Selected etype info: etype rc4-hmac, salt
"", params ""

 

[2936] 1538135221.804095: Retrieving
HTTP/duspa01-u171282.training.com@TRAINING.COM from
FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result: 0/Success

 

[2936] 1538135221.804186: AS key obtained for encrypted timestamp:
rc4-hmac/3086

 

KB : KB000118667

Outcomes