CA Access Gateway (SPS) Kerberos Authentication reports error : Message=Unknown code FF 165

Document ID : KB000008759
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We're running CA Access Gateway (SPS), and when our browser reach the Kerberos Authentication Scheme, the Agent cannot authenticate the user because it cannot get the token for smps@myps.internal.local :

  Failed to create delegated GSSAPI token on behalf of HTTP/mysps.internal.local@INTERNAL.LOCAL for smps@myps.internal.local: Minor Status=100005, Major tatus=851968, Message=Unknown code FF 165 

How can we solve this issue?

 

Environment:
Policy Server 12.6SP1 on Windows 2012R2 SPS 12.6SP1 on Windows 2012R2 Policy Store on CA Directory 12.6 RDC on Active Directory 2012R2 all machine in the same Windows domain internal.local
Cause:

The issue was caused as user was accessing kerberos authentication using a virtual host, which is defined on a domain (.myotherdomain.local) different of the kerberos domain (.internal.local). The kerberos domain requested should match the one defined in the krb5.ini file.

 

Resolution:

In order to solve this issue you have to define and use the kerberos authentication on the same domain (.internal.local) as defined in the krb5.ini file.