Issue:
We're running CA Access Gateway (SPS) and when users try to
authenticate with Kerberos authentication scheme, they cannot login
because the CA Access Gateway (SPS) seems to not be able to contact
the KDC :
[11/29/2018][18:22:50][2308][5204][23a92ace-31f0175a-
738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][token
length before validating is 5368]
[11/29/2018][18:22:55][2308][5204][23a92ace-31f0175a-
738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][Failed
to create delegated GSSAPI token on behalf of
HTTP/mysps.mydomain.com@MYDOMAIN.COM for smps@mypolicyserver.mydomain.com: Minor
Status=-1765328228, Major Status=851968, Message=Cannot contact any
KDC for requested realm]
How can we fix this ?
Resolution:
Modify the krb5.ini on CA Access Gateway (SPS) and Policy Server in order to point
to another KDC as the current one was corrupted and doesn't answer
anymore. This solved the issue.
To illustrate :
Change KDC1.mydomain.com to KDC2.mydomain.com
from
[realms]
MYDOMAIN.COM = {
kdc = KDC1.mydomain.com
default_domain = mydomain.com
}
to
[realms]
MYDOMAIN.COM = {
kdc = KDC2.mydomain.com
default_domain = mydomain.com
}
Restart the CA Access Gateway (SPS) and the Policy Server services after the changes
KB : KB000122165