Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ESP configuration - SSO SharePoint

 

Information

 

Summary:

User configured kcd for their sharepoint service
However after typing the credential we are getting 404 error.

Environment:

Product: Loadmaster

Version: Any

Platform: Any

Application: Sharepoint with KCD

Question/Problem Description:

From our deployment guide for KCD: Kerberos Constrained Delegation – Kemp Support (kemptechnologies.com)
 
We can see that the error code 1765328371 corresponds to the following Kerberos Error:

1765328371

KRB5KDC_ERR_BADOPTION

KDC cannot fulfil requested option

 

The most common scenario is a request for a delegated ticket (unconstrained or constrained delegation). You will typically see this on the middle-tier server trying to access a back-end server. There are several reasons for rejection:
1. The service account is not trusted for delegation
2. The service account is not trusted for delegation to the SPN requested
3. The user’s account is marked as sensitive
4. The request was for a constrained delegation ticket to itself (constrained delegation is designed to allow a middle-tier service to request a ticket to a back-end service on behalf of another user, not on behalf of itself).
 

Steps to Reproduce:  
Error Message:
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: constrained_delegate: gss_init_sec_context failed with major 851968 and minor -1765328371
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# >>> kcd_get_user_ticket
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# >>>resolve_destination_address: Attempt to resolve destination [IP.X][2]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# <<<resolve_destination_address: Resolved destination host name [example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: user=[user@example.com] [basename=[user.name]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: Destination name=[http/example.com@domain.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: kcd_ticket:0x7f7460b5bed0 [65536/65536]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# >>> get_impersonator_cred_handle
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# >>> get_impersonator_cred_handle - handle=0x7f74580412b0
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: Get a ticket on behalf of user user.name
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: Credentials aquired
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# init_accept_sec_context(): Target name: [ssokemp@example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Target mech: [{ 1 3 6 1 5 5 2 }]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# init_accept_sec_context(): Source name: [user.name@example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# init_accept_sec_context(): Source mech: [{ 1 2 840 113554 1 2 2 }]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac: Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac:logon-info Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac:client-info Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac:upn-dns-info Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac:server-checksum Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Attribute urn:mspac:privsvr-checksum Authenticated Complete
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Proxy name: [ssokemp@example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Target name: [http/domain.com@example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Delegated name: [user.name@example.com]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# Delegated mech: [{ 1 2 840 113554 1 2 2 }]
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# gss_init_sec_context: Unspecified GSS failure. Minor code may provide more information
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# gss_init_sec_context: KDC can't fulfill requested option
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: constrained_delegate: gss_init_sec_context failed with major 851968 and minor -1765328371
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# <<< kcd_get_user_ticket - ret=-1
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_reauth_thread: new ticket generation failed




For more info refer to Kerberos errors in network captures - Microsoft Tech Community

Defect Number:  
Enhancement Number:  
Cause:  
Resolution: Kerberos NOT Working:
As far as I can see when it comes to the failed login attempts with test account Sebastian the Destination/Target that is used is either:
2023-04-12T14:50:08+07:00 KEMP-PRD ssomgr: SM: #31727# kcd_get_user_ticket: Destination name=[http/spp.m-lcs.com@MKRG.CORP]
 
The KCD fails with the error 1765328371 - KRB5KDC_ERR_BADOPTION`- KDC cannot fulfill requested option
 
The customer should verify the delegation settings and ensure that the SharePoint server has the correct service account set.
Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments