Layer7 Access Management

Tech Tip : CA Single Sign-On : Web Agent returns "CredentialManager returned SmFailure, end new request" when processing Kerberos Authentication Scheme

  • 1.  Tech Tip : CA Single Sign-On : Web Agent returns "CredentialManager returned SmFailure, end new request" when processing Kerberos Authentication Scheme

    Posted 11-28-2017 04:35 AM

    Issue:


    We're running SPS, and when a user comes to the Kerberos authentication scheme, then the browser recieves error 500 and the SPS Agent indicates this error :

     

    [07/27/2017][15:30:15][1168][560][55438e88-26830e23-8b935970-4538d084-9391120d-9][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN-> ProcessAdvancedAuthCredentials returned SmFailure.]
    [07/27/2017][15:30:15][1168][560][55438e88-26830e23-8b935970-4538d084-9391120d-9][ProcessAdvancedAuthentication][CredentialManager returned SmFailure, end new request.]

     

    How can we solve this?

     

    Environment:


    Policy Server 12.6.01 on Windows 2012R2; Access Gateway (SPS) 12.6.01 on Windows 2012R2; Policy Store on CA Directory 12.6; RDC on Active Directory 2012R2; * all machines in the same Windows domain

     

    Resolution:

     

    Configure the ccache parameter in the krb5.ini :

     

    C:\windows\krb5.ini

    [libdefaults]

    default_ccache_name = FILE:%{TEMP}\krb5cc_%{uid}

     

    And also don't forget to add the .kcc in the IgnoreExt ACO parameter to ensure the SPS to trigger the Kerberos processing:

    IgnoreExt=.class,.gif,.jpg,.jpeg,.png,.fcc,.scc,.sfcc,.ccc,.ntc,.sac,.css,.kcc

     

    This will solve the issue.

     

    KB : TEC1371198