Routing with Kerberos ticket failed with: Credentials for delegation not found

Document ID : KB000057518
Last Modified Date : 14/02/2018
Show Technical Document Details

Solution

Background

The Layer 7 Gateway supports the use of multiple types of Microsoft-specific authentication methods via Active Directory. Specifically, the Gateway is able to accept and process Kerberos tickets for authentication. A account in an Active Directory can be authorized for many types of delegated authority. The Gateway supports authenticating accounts that are authorized for "Use Kerberos Only." An example Active Directory configuration is displayed below.
User Properties for Delegation in Active Directory

If a request attempts to authenticate against an account in the Active Directory where Kerberos only is selected then authentication may fail if the correct authentication method is not selected in the active published service policy via the Layer 7 Policy Manager. An error will occur if the Gateway attempts to authenticate a Kerberos-only user with non-Kerberos-based authentication.

Presentation

The following error message may appear when attempting to authenticate a Kerberos-only account with the incorrect assertion: Routing with Kerberos ticket failed with: Credentials for delegation not found.?

Resolution

In order to avoid this error, the impacted service policy should use the?Retrieve Kerberos Authentication Credentials?assertion. This assertion?should be configured with the following values:

  1. Realm: SUBDOMAIN.DOMAIN.COM
  2. Target SPN: http/server.subdomain.domain.com
  3. Gateway credentials:?Use Gateway Keytab
Configuring the service policy and applicable assertion in this manner will allow the Gateway to authenticate to an account in an Active Directory that is enabled for only Kerberos-based authentication.