Trusted Active Directory users failed to log in IPA web UI - KDC error EVIDENCE_TKT_NOT_FORWARDABLE
Issue
- One-way trust was created between IPA and AD
- AD user
aduser@ad.example.com
was added toDefault Trust View
in IPA - AD user
aduser@ad.example.com
fails to login IPA web UI - These errors are observed in IPA server:
# tail -f /var/log/krb5kdc.log
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM, Additional pre-authentication required
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: ISSUE: authtime 1683616422, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: REFERRAL: aduser\@AD.EXAMPLE.COM@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM, Realm not local to KDC
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](Error): No results.
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: ISSUE: authtime 1683616422, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, aduser@AD.EXAMPLE.COM for HTTP/idmserver.idm.example.com@IDM.EXAMPLE.COM
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: EVIDENCE_TKT_NOT_FORWARDABLE: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/idmserver.idm.example.com@IDM.EXAMPLE.COM for ldap/idmserver.idm.example.com@IDM.EXAMPLE.COM, KDC can't fulfill requested option
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12
Environment
- Red Hat Enterprise Linux 8.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.