Trusted Active Directory users failed to log in IPA web UI - KDC error EVIDENCE_TKT_NOT_FORWARDABLE

Solution Verified - Updated -

Issue

  1. One-way trust was created between IPA and AD
  2. AD user aduser@ad.example.com was added to Default Trust View in IPA
  3. AD user aduser@ad.example.com fails to login IPA web UI
  4. These errors are observed in IPA server:
# tail -f /var/log/krb5kdc.log
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM, Additional pre-authentication required
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: ISSUE: authtime 1683616422, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: REFERRAL: aduser\@AD.EXAMPLE.COM@IDM.EXAMPLE.COM for krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM, Realm not local to KDC
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](Error): No results.
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: ISSUE: authtime 1683616422, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, aduser@AD.EXAMPLE.COM for HTTP/idmserver.idm.example.com@IDM.EXAMPLE.COM
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464978](info): closing down fd 12
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) 172.31.4.162: EVIDENCE_TKT_NOT_FORWARDABLE: authtime 0, etypes {rep=UNSUPPORTED:(0)} HTTP/idmserver.idm.example.com@IDM.EXAMPLE.COM for ldap/idmserver.idm.example.com@IDM.EXAMPLE.COM, KDC can't fulfill requested option
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
May 09 09:13:42 idmserver.idm.example.com krb5kdc[2464977](info): closing down fd 12

Environment

  • Red Hat Enterprise Linux 8.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content