Problem Note 65832: A Key Distribution Center (KDC) delegation block causes Kerberos delegation errors
 |  |  |  |
Updates to Microsoft Windows enables security hardening for Microsoft Windows Server, which blocks Ticket Granting Ticket (TGT) unconstrained delegation. This behavior causes Kerberos delegation to fail. In many ways, the failure seems to be a normal delegation failure, but is caused by a new feature.
Microsoft has implemented a netdom flag to control whether TGT delegation is permitted. You can control this flag by submitting the following netdom command:
In newer updates, Microsoft causes the flag to default to No. For cross-domain trusts to work with traditional unconstrained delegation, the flag must be set to Yes.
You can use the following power-shell command to list all of the accounts with unconstrained delegation from your AD Server:
If you examine the SASLogon9.4.log file, as shown below, you will see that the authentication completes but that the TGT seems to be empty:
2020-03-20 13:04:10,678 [tomcat-http--19] DEBUG com.sas.svcs.security.authentication.gss.GSSCredentialCachingFilter - Using OMIServerPrincipal '[your-account-name]'
2020-03-20 13:04:10,680 [tomcat-http--19] DEBUG com.sas.svcs.security.authentication.gss.GSSCredentialCachingFilter - Saved credentials for [your-account-name] in local cache
2020-03-20 13:04:10,680 [tomcat-http--19] DEBUG com.sas.svcs.security.authentication.gss.GSSCredentialCachingFilter - Credentials for [your-account-name] have remaining lifetime of 35998 secs
2020-03-20 13:04:10,681 [tomcat-http--19] DEBUG com.sas.svcs.security.authentication.gss.GSSCredentialCachingFilter - Delegated credentials provided by GSS API do not appear to contain the TGT
Also, if you view the SASServer1_1 catalina.out file, you see a successful authentication, and the Kerberos ticket is shown. However, as in the SASLogon9.4.log file, the TGT is missing. The following error message is displayed, as well:
>>> KrbApReq: authenticate succeed.
. . .more message lines. . .
>>> Constrained deleg from GSSCaller{UNKNOWN}
Found ticket for HTTP/saswebserver.domain.com@SERVERREALM.COM to go to krbtgt/SERVERREALM.COM@SERVERREALM.COM expiring on Thu Mar 19 00:09:27 EDT 2020
2020-03-18 14:09:27,965 [tomcat-http--18] DEBUG com.sas.svcs.security.authentication.gss.GSSCredentialCachingFilter - Delegated credentials provided by GSS API do not appear to contain the TGT
. . .more message lines. . .
>>>KRBError:
. . .more message lines. . .
suSec is 301822
error code is 13
error Message is KDC cannot accommodate requested option
. . .more message lines. . .
Unknown eData field of KRB-ERROR:
. . .more message lines. . .
KrbException: KDC cannot accommodate requested option (13)
at . . .more message lines. . .
>GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13)))
<. . .more message lines. . .
To resolve this problem, ask your Microsoft Active Directory administrator to change the EnableTGTDelegation flag to Yes on the domain controller.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Server | Microsoft® Windows® for x64 | 9.4 | 9.4 TS1M0 | ||
| 64-bit Enabled AIX | 9.4 | 9.4 TS1M0 | ||||
| 64-bit Enabled Solaris | 9.4 | 9.4 TS1M0 | ||||
| HP-UX IPF | 9.4 | 9.4 TS1M0 | ||||
| Linux for x64 | 9.4 | 9.4 TS1M0 | ||||
| Solaris for x64 | 9.4 | 9.4 TS1M0 | ||||
| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2020-06-11 14:43:41 |
| Date Created: | 2020-04-09 13:51:48 |