Layer 7 Access Management

Tech Tip : CA Single Sign-On : Web Agent kerberos permission denied

  • 1.  Tech Tip : CA Single Sign-On : Web Agent kerberos permission denied

    Posted 10-30-2018 04:55 AM

    Issue:


    I'm running Web Agent, which protects a resource with Kerberos
    Authentication scheme, and suddenly, the authentication doesn't work
    anymore and the Web Agent reports error :

     

    @ Sun, 30 Sep 2018 02:09:41 +000

     

    [2467] 1538273381.162330: Getting initial credentials for
    HTTP/duspa01-u171282.training.com@TRAINING.COM

     

    [2467] 1538273381.162602: Setting initial creds service to
    krbtgt/TRAINING.COM@TRAINING.COM

     

    [2467] 1538273381.162700: Couldn't lookup etypes in keytab:
    13/Permission denied

     

    [...]

     

    [2467] 1538273381.260416: Retrieving
    HTTP/duspa01-u171282.training.com@TRAINING.COM from
    FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result:
    13/Permission denied

     

    [2467] 1538273381.260425: Preauth module encrypted_timestamp (2)
    (flags=1) returned: 13/Permission denied

     

    How can I fix this ?

     

    Cause:

     

     

    We noted that the Web Agent OS date and time was in the future.

     

    Resolution:

     

    We changed the time back two days ago by restarting the ntp client on
    the machine and the network clock set it as per the other machines to
    Fri, 28 Sep 2018 11:47:01 +0000, and the permission denied issue
    disapeared.

     

    [2936] 1538135221.803975: Selected etype info: etype rc4-hmac, salt
    "", params ""

     

    [2936] 1538135221.804095: Retrieving
    HTTP/duspa01-u171282.training.com@TRAINING.COM from
    FILE:/etc/wa.keytab (vno 0, enctype rc4-hmac) with result: 0/Success

     

    [2936] 1538135221.804186: AS key obtained for encrypted timestamp:
    rc4-hmac/3086

     

    KB : KB000118667