Symantec Access Management

Tech Tip : CA Single Sign-On : Cannot contact any KDC for requested realm

  • 1.  Tech Tip : CA Single Sign-On : Cannot contact any KDC for requested realm

    Posted 11-30-2018 05:41 AM

    Issue:

     

    We're running CA Access Gateway (SPS) and when users try to
    authenticate with Kerberos authentication scheme, they cannot login
    because the CA Access Gateway (SPS) seems to not be able to contact
    the KDC :

     

    [11/29/2018][18:22:50][2308][5204][23a92ace-31f0175a-
    738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][token
    length before validating is 5368]

     

    [11/29/2018][18:22:55][2308][5204][23a92ace-31f0175a-
    738a10df-9952b1cb-46955b03-9b7][SmKcc::getCredentials][Failed
    to create delegated GSSAPI token on behalf of
    HTTP/mysps.mydomain.com@MYDOMAIN.COM for smps@mypolicyserver.mydomain.com: Minor
    Status=-1765328228, Major Status=851968, Message=Cannot contact any
    KDC for requested realm]

     

    How can we fix this ?

     

    Resolution:

     

    Modify the krb5.ini on CA Access Gateway (SPS) and Policy Server in order to point
    to another KDC as the current one was corrupted and doesn't answer
    anymore. This solved the issue.

     

    To illustrate :

     

    Change KDC1.mydomain.com to KDC2.mydomain.com

     

    from

     

    [realms]
    MYDOMAIN.COM = {
    kdc = KDC1.mydomain.com
    default_domain = mydomain.com
    }

     

    to

     

    [realms]
    MYDOMAIN.COM = {
    kdc = KDC2.mydomain.com
    default_domain = mydomain.com
    }

     

    Restart the CA Access Gateway (SPS) and the Policy Server services after the changes

     

    KB : KB000122165