You receive unlimited authentication popup and in proxy real-time monitor, you receive this error
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Service key not available; }}
"Service key not available", aka "encryption type mismatches".
The error "Service key not available" in Kerberos authentication is related to encryption type mismatches between the client, the keytab file, and the Active Directory (AD) domain controller.
Kerberos uses various encryption types (e.g., AES, RC4, DES) for securing tickets, and if the encryption types supported by the client and the AD domain controller do not match, this error can occur.
By default, Artica connect to the Active Directory using rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96.
Your Active Directory system administrator has probably strengthened the Kerberos encryption settings inside the “encryption types allowed for Kerberos” policy
To do this
- On a Windows Server with the Group Policy Management tool installed, open the Group Policy Management Console (
gpmc.msc). - Navigate to
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options - look for the Network security: Configure encryption types allowed for Kerberos
- Verify that minimal RC4_HMAC_MD5 is enabled or nothing enabled ( which means default option)
