This article examines reasons for SSO faliure with error 'GSS_S_Failure.'
For information related to configuring Kerberos for Admin or Captive portal authentication, please click here
Details:
Error message in authd logs while Kerberos SSO authentication:
Reason 1:
- Algorithm used while generating keytab is different from algorithm used while TGS issues service ticket to the clients.
Keytab was generated using algorithm AES256-SHA1 while the service ticket issued to client by TGS uses the default algorithm RC4-HMAC
In this case, either the keytab should also be generated using default algorithm RC4-HMAC or Kerberos administrator should be contacted to configure same algorithm for issuing service tickets.
Reason 2:
Window/Linux client instance, KDC and/or the firewall has a time difference of more than ~3-4 mins. It is always better to have their time in sync for SSO to operate correctly.