Troubleshooting Tip: How to resolve 'Cannot find key for' error in Kerberos authentication

Kerberos authentication fails when it cannot locate the correct key for the principal in the FortiGate device.

When attempting to connect via Kerberos Authentication, collecting the WAD debug generates the following error:

[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :46 Error returned by gss_accept_sec_con
text: major:d0000 Hex minor:100005 Dec
[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :57 major error <1> Unspecified GSS fail
ure. Minor code may provide more information
[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :70 minor error <1> Cannot find key for
HTTP/fortigate2K.abc.com@ABC.COM kvno 11 in keytab (request ticket server HTTP/fortigate2K.abc.com@ABC.COM)
[I][p:221][s:1956622081][r:16777808] wad_negotiate_del_ctx :925 release krb nego output buffer:0
[E][p:221][s:1956622081][r:16777808] wad_nego_authenticate :269 Error occurred during krb authentica
tion.

[I][p:221][s:1956622081][r:16777808] wad_http_auth_status_proc :9968 authenticate result=failure

This issue occurs when the password for the service account is changed. Every time the password is changed, the KVNO value will increment by 1, resulting in a difference with the KVNO value of the already uploaded keytab previously. This can be validated from AD by running the command below in Windows PowerShell:

Get-ADUser -identity testproxy -Properties msDS-KeyVersionNumber

The value "msDS-KeyVersionNumber" in output corresponds to the current KVNO value in AD

To check the current version in the keytab file, an external software such as MIT Kerberos can be used to decode the file, which can be obtained from the following link:

MIT Kerberos Download

From cmd the following command can be used. Only the .keytab file is used: 

klist -k -t fgt.keytab

To resolve this issue, remove the existing keytab from the FortiGate and generate a new one on the server using the ktpass command:

ktpass -princ HTTP/fortigate2K.abc.com@ABC.COM -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

Note that the user in the above command is the service account created in the AD, and the password is the password for the service account.

To check if the keytab is successfully imported and decoded, use the command below:

fnsysctl ls -la /tmp/kt

Note:

The keytab file is no longer visible starting from v7.4.5 due to identified security concerns.

fnsysctl ls -la /tmp/kt
ls: /tmp/kt: No such file or directory

Make sure the principal entered in the config user krb-keytab section exactly matches the one used in the ktpass command when generating the keytab file. Ensure that the base64-encoded keytab file on the server is merged into a single continuous line; otherwise, the import to FortiGate will not be successful.

An error may appear in the FortiGate GUI stating 'The keytab is not valid for the principal'. Define Kerberos as an authentication service. This option is only available in the CLI. This issue can be resolved by following the steps in this article: Technical Tip: FortiGate explicit proxy authentication with Kerberos.

Before retrying, purge the klist on the end user machine by using the following command:

klist purge

After, clear the user's browser cache and cookies.

Related article:

Technical Tip: How to resolve the error 'Error occurred during krb authentication' in Kerberos authentication