In a Kerberos enabled IWA authentication deployment, receiving error message "Unable to store Kerberos username and password. The IWA direct realm encountered an unmapped error code, contact your system administrator. Ensure domain is properly (re)joined” when attempting to update the "Set Credentials" under Configuration -> Authentication -> IWA -> IWA Servers [Tab] -> Load-balanced Kerberos.
One of the most common reasons for this issue is SG failed to get a response from DC for its query to fetch an attribute called "msDS-KeyVersionNumber". In short, this attribute specifies the Kerberos version number of the current key for the AD account. In case the DC have permission restrictions to return the value of this attribute, ProxySG cannot update its own keytab file resulting in this error message. It can be validated from a packet capture taken on proxy while trying to set the credentials.
LDAP query to DC:
LDAP response from DC:
The solution is to grant permissions to return the attribute value and limit the privileges to the Kerberos account created on AD.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.