Layer7 API Management

  • Private Community

  • 1.  Kerberos keytab file failing with Authentication error

    Posted Dec 14, 2017 02:09 AM

    Hi,

     

    I have created a Kerberos Keytab after running the setspn and Ktpass cmd.

    The Keytab is imported into the Gateway but failing with Kerberos Authentication error.

     

    I captured the network traffic and found the Kerberos flow is going half way through.

    DNS lookup is happening then AS-REQ & AS REP is also going through fine.

    But the Client (Gateway) is not able to initiate TGS-REQ for Kerberos ticket.

     

    Did anyone face similar problem?



  • 2.  Re: Kerberos keytab file failing with Authentication error

    Posted Dec 14, 2017 02:07 PM

    Please make sure domain controllers are discoverable using DNS resolution. Alternatively you can use gateway cluster properties or krb5.conf file to specify domains and domain controller IPs. Following cluster properties might help discovering domain controllers.

     

    krb5.kdc // Configure IP address

    krb5.realm // Configure fully qualified domain name.



  • 3.  Re: Kerberos keytab file failing with Authentication error
    Best Answer

    Broadcom Employee
    Posted Dec 20, 2017 07:08 PM

    Dear Rudra_Singh ,

    It seems we have a support ticket for this issue. The root cause is realm in lowercase. It was resolved after using uppercase.

     

    Please confirm and mark this discussion as answered.

     

    Regards,

    Mark



  • 4.  Re: Kerberos keytab file failing with Authentication error

    Posted Dec 20, 2017 09:17 PM

    Dear Mark_HE,

     

    Yes,, the problem was fixed after setting the principal with REALM in uppercase.

     

     

    Regards,

    Rudra