ZENworks Configuration Management 2017 Update 2
With Kerberos set, users can't login.
ERROR (from primary or satellite ats.log)
[WARN] [11/07/2018 14:51:16.582]  [ATS]  [zenworks] [CASAServer]  [(ClientAddr=192.168.0.111)Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token]   [CASA]
[WARN] [11/07/2018 14:51:16.583]  [ATS]  [zenworks] [CASAServer]  [(ClientAddr=192.168.0.111)invoke()- Exception: java.lang.Exception: Authentication Failure] [authtoksvc.Krb5Authenticate]   [CASA]
ERROR (from zmd-messages.log in debug):
[KerberosAuthMechanismHandler]  [Exception Message :System.Exception: Failed to get the client token Return Status : -2146892990
The error -2146892990 is not a ZCM error, but a native Windows Kerberos error indicating a problem with the key.
Confirm if there is a group policy set for Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Configure encryption types allowed for Kerberos. If so determine which encryption types are allowed.
If there is a restriction , ensure that the setting on the Kerberos principal account used by ZENworks has set Account Properties / Account Options to match. For example "This Account Supports Kerberos AES 256 bit encryption". If the account setting does not match, set it to match. A new keytab will need to be created and added to ZCC after the change. When making the keytab, use the crypto parameter appropriately.
Otherwise this error may be seen:
GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token]   [CASA]
If the security principal account has restrictions on what kerberos keys it can use, ensure that the keytab file can use the same key or use /crypto ALL
example: ktpass /crypto ALL /princ HOST/atsserver.domain.com@DOMAIN.COM -pass password -mapuser domain\atsserver -out file.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
NOTE: It is more secure to use the proper crypto type in the above command rather than ALL. For more information see https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/