KDC policy rejects request

Troubleshooting

Problem

Using a native kerberos delegation junction you get below error in WebSeal message log: DPWAD1213E An error occurred when creating the Kerberos token: KDC policy rejects request

Symptom

Along with above error in message log , t tcp-ip trace shows the following error returned by KDC :

KRB5KDC_ERR_POLICY NT Status : unknown error code

Cause

The problem is related to the SPN defined in the kerberos-service-name entry in the WebSeal conf file who does not match with the SPN that has been set in the keytab when running ktpass command against the Active Directory user that represent WebSeal process.

Resolving The Problem

The problem can be solved by

1) changing the SPN value defined for kerberos-service-name in the WebSeal conf file

2) run again ktpass command on the KDC so that the principal defined match with what in kerberos-service-name and reload the new keytab on the appliance.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSeal AMP Appliance","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"8.0.1;9.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

KDC policy rejects request

Troubleshooting

Problem

Symptom

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?