Kerberos SSO fails with error 'GSS_S_Failure'

Kerberos SSO fails with error 'GSS_S_Failure'

26320
Created On 09/25/18 19:48 PM - Last Modified 02/04/25 06:30 AM


Resolution


This article examines reasons for SSO faliure with error 'GSS_S_Failure.'

For information related to configuring Kerberos for Admin or Captive portal authentication, please click here

 

 

Details:

 

Error message in authd logs while Kerberos SSO authentication:

 

Screen Shot 2016-11-27 at 8.14.27 AM.png

 

 Reason 1:

 

- Algorithm used while generating keytab is different from algorithm used while TGS issues service ticket to the clients.

 

Screen Shot 2016-11-27 at 8.38.33 AM.png

 

KerbImg1.png 

Keytab was generated using algorithm AES256-SHA1 while the service ticket issued to client by TGS uses the default algorithm RC4-HMAC

In this case, either the keytab should also be generated using default algorithm RC4-HMAC or Kerberos administrator should be contacted to configure same algorithm for issuing service tickets.

NOTE:  Algorithm for "KerbTicket Encryption Type" in above mentioned O/P should match with the algorithm used while generating keytab. 

 

Reason 2:

Window/Linux client instance, KDC and/or the firewall has a time difference of more than ~3-4 mins. It is always better to have their time in sync for SSO to operate correctly.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldZCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language