Kerberos SSO fails with error 'GSS_S_Failure'

Kerberos SSO fails with error 'GSS_S_Failure'

19018
Created On 09/25/18 19:48 PM - Last Modified 06/01/23 08:53 AM


Resolution


This article examines reasons for SSO faliure with error 'GSS_S_Failure.'

For information related to configuring Kerberos for Admin or Captive portal authentication, please click here

 

 

Details:

 

Error message in authd logs while Kerberos SSO authentication:

 

Screen Shot 2016-11-27 at 8.14.27 AM.png

 

 Reason 1:

 

- Algorithm used while generating keytab is different from algorithm used while TGS issues service ticket to the clients.

 

Screen Shot 2016-11-27 at 8.38.33 AM.png

 

Screen Shot 2016-11-27 at 8.29.45 AM.png

 

Keytab was generated using algorithm AES256-SHA1 while the service ticket issued to client by TGS uses the default algorithm RC4-HMAC

 

In this case, either the keytab should also be generated using default algorithm RC4-HMAC or Kerberos administrator should be contacted to configure same algorithm for issuing service tickets.

 

 

Reason 2:

 

Window/Linux client instance, KDC and/or the firewall has a time difference of more than ~3-4 mins. It is always better to have their time in sync for SSO to operate correctly.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language