-
Title
Kerberos problem with GSSAPI in mixed Windows DC environment -
Description
Using GSSAPI to single-sign-on between QAS clients fails with the following error:
GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
No error
-
Cause
Windows domain controllers earlier than 2008 do not use AES encryption, so if some DCs are earlier that 2008, some clients will get Kerberos tickets that will not be usable by other DCs. This will usually only noticeable with using GSSAPI authentication between computers joined to different versioned DCs.
-
Resolution
Remove all AES encryption types from the host.keytab file, leaving only the arcfour-hmac-md5 keys, as follows:
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/host.keytab remove -e aes256-cts-hmac-sha1-96
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/host.keytab remove -e aes128-cts-hmac-sha1-96