Kerberos error logging in

  • 7023258
  • 12-Aug-2018
  • 29-Mar-2019

Environment

ZENworks Configuration Management 2017 Update 2

Situation

With Kerberos set, users can't login.  

ERROR (from primary or satellite ats.log)

[WARN] [11/07/2018 14:51:16.582] [6045] [ATS] [113] [zenworks] [CASAServer] [] [(ClientAddr=192.168.0.111)Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token] [] [] [CASA]

[WARN] [11/07/2018 14:51:16.583] [6045] [ATS] [113] [zenworks] [CASAServer] [] [(ClientAddr=192.168.0.111)invoke()- Exception: java.lang.Exception: Authentication Failure] [authtoksvc.Krb5Authenticate] [] [] [CASA]


ERROR (from zmd-messages.log in debug):

[KerberosAuthMechanismHandler] [] [Exception Message :System.Exception: Failed to get the client token Return Status : -2146892990

Resolution

The error -2146892990 is not a ZCM error, but a native Windows Kerberos error indicating a problem with the key.

Suggestion:

Confirm if there is a group policy set for Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Configure encryption types allowed for Kerberos.  If so determine which encryption types are allowed.

If there is a restriction , ensure that the setting on the Kerberos principal account used by ZENworks has set Account Properties / Account Options to match.  For example "This Account Supports Kerberos AES 256 bit encryption".    If the account setting does not match, set it to match.  A new keytab will need to be created and added to ZCC after the change.  When making the keytab, use the crypto parameter appropriately.  

Otherwise this error may be seen:

GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token] [] [] [CASA]

If the security principal account has restrictions on what kerberos keys it can use, ensure that the keytab file can use the same key or use /crypto ALL

example:  ktpass /crypto ALL /princ HOST/atsserver.domain.com@DOMAIN.COM -pass password -mapuser domain\atsserver -out file.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL


NOTE:  It is more secure to use the proper crypto type in the above command rather than ALL.  For more information see https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/