Symantec Access Management

  • Private Community
 View Only

  • 1.  Failed to validate remote GSSAPI token: Key table entry not found

    Posted Aug 12, 2013 05:27 AM
    I try to build a environment for Kerberos Authentication Scheme for Apache Web Server on Windows 2008R2
    My environment are

    AD & DNS windows 2008 SP1

    Policy Server R12.5 windows 2008 SP1 (Host Name is POLISERVER)

    Web Agenet R12.5
    Apache Web Server on windows 2008R2 (Host Name is APHSERVER)

    I create two account service name ,generate & deploy two keytab files
    policy server : kbssmuser (service principal is smps/POLISERVER.abc.com)
    web server : kbsapserver (service principal is HTTP/APHSERVER.abc.com)

    ACO configuration
    httpserviceprincipal='HTTP/APHSERVER.abc.com@ABC.COM'.
    smpsserviceprincipal='smps/POLISERVER.abc.com@ABC.COM'.


    But I try to verify the protect resource url
    The Apahce Web Server return 500 error code
    The WebAgent Trace log return error message : Failed to validate remote GSSAPI token: Key table entry not found

    How do I fix the problem ?

    Regards,

    Tommy


  • 2.  RE: Failed to validate remote GSSAPI token: Key table entry not found

     
    Posted Aug 21, 2013 01:41 PM
    Hi All,

    Any suggestions here for Tommy?

    Thanks!
    Chris


    tsai_hsing wrote:

    I try to build a environment for Kerberos Authentication Scheme for Apache Web Server on Windows 2008R2
    My environment are

    AD & DNS windows 2008 SP1

    Policy Server R12.5 windows 2008 SP1 (Host Name is POLISERVER)

    Web Agenet R12.5
    Apache Web Server on windows 2008R2 (Host Name is APHSERVER)

    I create two account service name ,generate & deploy two keytab files
    policy server : kbssmuser (service principal is smps/POLISERVER.abc.com)
    web server : kbsapserver (service principal is HTTP/APHSERVER.abc.com)

    ACO configuration
    httpserviceprincipal='HTTP/APHSERVER.abc.com@ABC.COM'.
    smpsserviceprincipal='smps/POLISERVER.abc.com@ABC.COM'.


    But I try to verify the protect resource url
    The Apahce Web Server return 500 error code
    The WebAgent Trace log return error message : Failed to validate remote GSSAPI token: Key table entry not found

    How do I fix the problem ?

    Regards,

    Tommy


  • 3.  RE: Failed to validate remote GSSAPI token: Key table entry not found

    Posted Aug 21, 2013 11:53 PM
    Hi Chris
    I had try to use Kerberos Authentication Scheme for Apache Web Server on Windows 2008R2 about two months but still does not work fine

    And also ask CA on line support help.
    Now support gave me a answer "the authentication server and the web agent protecting those resources must be on a Microsoft IIS web server."
    I don't knows if it is final answer that " I must use IIS instead of Apache for Kerberos Authentication Scheme "
    As I knew if I choice IIS on Windows ,I can just use IWA Authentication Scheme (NTLM) ,I don' need working hot to set up Kerberos Authentication Scheme steps.
    Thanks.

    Regards,

    Tommy


  • 4.  Re: RE: Failed to validate remote GSSAPI token: Key table entry not found

    Broadcom Employee
    Posted Sep 16, 2014 08:13 AM

    Hi,

     

    It is probably late to come on this, but just in case :

     

    Apache is supported and will work with Kerberos

    and SiteMinder.

     

    The error :

     

    Failed to validate remote GSSAPI token: Key table entry not found

     

    Check :

     

    - The AD Account you use have just and only 1 Principal;

    - The AD Account has the same kvno as the one in the

      keytab;

    - The krb5.ini is configure and located at the default

      place on the OS file system;

    - The keytab file is reachable and readable;

     

    Best Regards,

    Patrick



  • 5.  Re: RE: Failed to validate remote GSSAPI token: Key table entry not found

    Posted Jan 14, 2015 01:25 AM

    It should not matter if it is IIS or Apache.

     

    If this is still an issue for you, please try setting up following my document here.

    How to setup SiteMinder Kerberos Authentication - Part 1

     

    In this document, the web server is IIS 7.5 but it should not matter if the web server is Apache.

     

    Cheers,

     

    Kim



  • 6.  Re: Failed to validate remote GSSAPI token: Key table entry not found

    Posted Apr 11, 2018 02:45 PM

    #tsai_hsing
    Please let us know how did you resolve the following error.



  • 7.  Re: Failed to validate remote GSSAPI token: Key table entry not found

    Posted Jul 29, 2015 01:25 AM

    Hi Tommy Tsai_Hsing

     

    I see that this is marked as assumed answered. However were you able to resolve this error message?

     

    [07/29/2015][01:08:45.021][19016][2910451520][SmKCC.cpp:139][SmKcc::getCredentials][Failed to validate remote GSSAPI token: Minor Status=-1765328203, Major Status=851968, Message=Key table entry not found][wa_apache][/demo/headers.pl][GET][*10.130.211.115][][][][]

     

     

    Regards

    Hubert