Vault's Kerberos authentication method requires knowledge of the Kerberos protocol in use. The error below may be observed when attempting a
vault login ...:
Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [USER_PRINCIPAL_HERE] realm: KERBEROS_REALM_HERE kvno: 0 etype: 17
USER_PRINCIPAL_HERE- is the Kerberos user principal you are trying to log in as.KERBEROS_REALM_HERE- is the Kerberos realm.
The above error is the result of a missing key or an incorrect encryption type in the provided
keytab file to the Vault server via the keytab_path parameter.
Solution
As stated above the error indicates a missing key in the provided
keytab file or an available key but not using the correct encryption. In order to resolve the error, a new keytab file should be generated.
In Windows environments, the
ktpass command should be used.
In Linux environments the
ktutil utility should be used.
An important part of generating a new
keytab file is to understand the returned error, here's an example: kvno: 0 etype: 17.
This indicates that you should use the latest
KVNO of the Kerberos principal and aes128-cts-hmac-sha1-96 encryption type when generating the new keytab. The number 17 corresponds to aes128-cts-hmac-sha1-96 encryption type.