Using GSSAPI to single-sign-on between QAS clients fails with the following error:
Unspecified GSS failure. Minor code may provide more information
Windows domain controllers earlier than 2008 do not use AES encryption, so if some DCs are earlier that 2008, some clients will get Kerberos tickets that will not be usable by other DCs. This will usually only noticeable with using GSSAPI authentication between computers joined to different versioned DCs.
Remove all AES encryption types from the host.keytab file, leaving only the arcfour-hmac-md5 keys, as follows:
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/host.keytab remove -e aes256-cts-hmac-sha1-96
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/host.keytab remove -e aes128-cts-hmac-sha1-96