How to solve users unable to authenticate to IPA/IDM with PAC issues - S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC error

Solution Verified - Updated -

Issue

After upgrading to RHEL 8.9 or RHEL 9.3, most IPA users are unable to log into WebUI or kinit, with errors like

 GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)

Subsequently, any ipa commands start to fail with

# ipa -d user-show
...
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg)
xmlrpc.client.ProtocolError: ... 401 Unauthorized>

In krb5kdc.log of IPA we can see staple error

S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC

Environment

RHEL 8.9, ipa-server-4.9.12-11 +
RHEL 9.3, ipa-server-4.10.2-5 +

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content