Symantec Access Management

  • 1.  Kerberos Authentication encryption types supported

    Posted Dec 10, 2018 10:46 AM

    What are the encryption types supported in CA SSO for Kerberos?

    Is it only rc4-hmac, Does CA SSO support AES256-SHA1?



  • 2.  Re: Kerberos Authentication encryption types supported

    Posted Dec 12, 2018 02:34 AM

    HubertDennis

     

    Could you please help me with this? 

    what are the encryption types supported by CA SSO/Access Gateway?

    I am trying with AES256-SHA1, but i get an error as below.

     

    "Kerberos Credential Cache login failed with service principal HTTP/xxxx@***.***: Decrypt integrity check failed"

     

    Any clue why i get this?



  • 3.  Re: Kerberos Authentication encryption types supported

    Posted Jan 03, 2019 04:47 AM

    Chris_Hackett

     

    Could someone please help me with the above?



  • 4.  Re: Kerberos Authentication encryption types supported

     
    Posted Jan 03, 2019 11:31 AM

    @Patrick-Dussault  would you be able to assist? Thanks!



  • 5.  Re: Kerberos Authentication encryption types supported
    Best Answer

    Broadcom Employee
    Posted Jan 04, 2019 02:35 AM

    Hi,

     

    Please apologize to come late on this thread.

     

    Yes, the kerberos encryption type AES256-SHA1 is supported.

     

    Encryption types

     

    https://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html

     

    CA Single Sign-On 12.8 runs version MIT Kerberos 1.15.2.

    Third-Party Software Acknowledgments

    MIT Kerberos 1.15.2

    https://docops.ca.com/ca-single-sign-on/12-8/en/third-party-software-acknowledgments

     

    Then, the error

    "Kerberos Credential Cache login failed with service principal
    HTTP/xxxx@***.***: Decrypt integrity check failed"

     

    is a way to mean that the password is incorrect. Probably the key has
    changed on the KDC and the data in the CA Access Gateway (SPS) cache
    aren't valid anymore.

     

    I hope this help you,

     

    I wish you and your family, and all this community a Very Happy New Year 2019 !

     

    Best Regards,
    Patrick



  • 6.  Re: Kerberos Authentication encryption types supported

    Posted Jan 16, 2019 05:50 AM

    Hi Patrick-Dussault,

     

    What does it mean if there is error " Cannot find KDC for realm "corp.com".

     

    Regards,

    Joseph Christie



  • 7.  Re: Kerberos Authentication encryption types supported

    Posted Jan 07, 2019 01:38 AM

    Dear Patrick-Dussault,

     

    Thank you for your suggestion, yes as you have mentioned, it was the password which was entered incorrectly while creating keytab.

    Thank you.



  • 8.  Re: Kerberos Authentication encryption types supported

    Broadcom Employee
    Posted Jan 16, 2019 05:58 AM

    Hi,

     

    It means that for the configuration files for Kerberos on the OS, from
    the realm requested, the program cannot find a KDC that has this
    realm.

     

    You can refer to the documention to get a basic krb5.conf content.

     

    Configure a Kerberos Configuration File
    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/configure-a-kerberos-configuration-file

     

    Pay attention to the section :

     

    [domain_realm]

     

    you may need to add the domain without the starting dot :

     

    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

     

    Hope that helps,

     

    Best Regards,
    Patrick



  • 9.  Re: Kerberos Authentication encryption types supported

    Posted Jan 17, 2019 04:12 AM

    Dear  Patrick,

     

    I have the configuration as you have mentioned, and yes I did the same document you have mentioned. would it be any thing related to Windows service accounts, that were created?

     

    Below is a snapshot of my conf file

     

    [libdefaults]

    ; dns_lookup_kdc = false
    ; ticket_lifetime = 24000
    default_realm = xxxx.xxxx
    default_keytab_name = /opt/smuser/wakrb0104.keytab
    default_tkt_enctypes = AES256-SHA1
    default_tgs_enctypes = AES256-SHA1

    [domain_realm]

    xxxx.xxxx = xxxx.xxxx

    [realms]

    xxxx.xxxx = {
    ; DCs specified here will be always tried by Kerberos first and at least
    ; one of them must be functional. The list can be pruned if desired.
    ; kdc = ***.***.***.**:88
    ; kdc = ***.***.***.**:88
    ; kdc = ***.***.***.**:88
    ; kdc = ***.***.***.**:88
    kdc = osl-dc-1.xxxx.xxxx:88
    default_domain = xxxx.xxxx