With authentication enabled on the ProxySG appliance and Kerberos Constraint Delegation (KCD) in use, users cannot access protected resources due to authentication errors such as:
Internal error (server_authentication_error)
The ProxySG encountered an internal error while preparing to send your username/password upstream: "Kerberos cache encountered an unexpected error."
This error can only occur when the ProxySG "server authentication" feature is used.
For assistance, contact your network support team.
You run an LSA Debug Trace on the ProxySG (/lsa/debug) and receive an error similar to the following:
0623.046 KTC::Get_ticket: init context failure -1765328351 Ticket not yet valid
In the ProxySG event logs, you may see events similar to these:
The ProxySG appliance attempts to contact the Domain Controller (DC), which is responsible for issuing Kerberos tickets, on behalf of the client to obtain a Kerberos ticket or token. This is usually used in cases where the client cannot connect to the DC itself.
For information on KCD and how to configure it, refer to article
A large discrepancy exists between the respective times on the ProxySG appliance and the DC. As a result, the appliance considers the Kerberos tickets it receives from the DC to be invalid.
On the ProxySG appliance, adjust the system time at
Clock. Then, do one of the following:
Set the NTP server to the same ones that the DC uses, and then click Acquire UTC Time.
Set the Time Zone to match that of the DC by clicking Set Time Zone.
The actual time appears under
Current Time beside the
The DC’s time is adjusted on its Windows environment, similar to changing the time on any Windows machine.
Imported Document ID: 000031389
Subscribing will provide email updates when this Article is updated. Login is required.