Kerberos error logging in

  • 7023258
  • 12-Aug-2018
  • 12-Aug-2018

Environment

ZENworks Configuration Management 2017 Update 2

Situation

With Kerberos set, users can't login.  

ERROR (from zmd-messages.log in debug):

[KerberosAuthMechanismHandler] [] [Exception Message :System.Exception: Failed to get the client token Return Status : -2146892990

Resolution

The error -2146892990 is not a ZCM error, but a native Windows Kerberos error indicating a problem with the key.

Suggestion:

Confirm if there is a group policy set for Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Configure encryption types allowed for Kerberos.  If so determine which encryption types are allowed.

If there is a restriction , ensure that the setting on the Kerberos principal account used by ZENworks has set Account Properties / Account Options to match.  For example "This Account Supports Kerberos AES 256 bit encryption".    If the account setting does not match, set it to match.  A new keytab will need to be created and added to ZCC after the change.  Otherwise this error may be seen:

GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token] [] [] [CASA]C