The Kerberos authentication method requires knowledge of the Kerberos protocol. Here's an example error message:
The following error is observed when the
vault login... command is executed in order to authenticate via the Kerberos authentication method:
Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [USER_PRINCIPAL_HERE] realm: KERBEROS_REALM_HERE kvno: 0 etype: 17
USER_PRINCIPAL_HERE- The Kerberos user principal you are trying to log in as.
KERBEROS_REALM_HERE- The Kerberos realm.
The above-mentioned error is a result of a missing key or not correctly used encryption type in the provided
keytab file to the Vault server via the keytab_path parameter.
As stated above the error indicates a missing key in the provided
keytab file or an available key but not using the correct encryption. In order to resolve the error, a new
keytab file should be generated.
In Windows environments, the
ktpass command should be used.
In Linux environments the
ktutil utility should be used.
An important part of generating a new
keytab file is to understand the returned error, here's an example:
kvno: 0 etype: 17.
This indicates that you should use the latest
KVNO of the Kerberos principal and
aes128-cts-hmac-sha1-96 encryption type when generating the new keytab. The number
17 corresponds to
aes128-cts-hmac-sha1-96 encryption type.
Note: You can review the other encryption types in the link below.
For specific instructions on the
ktutil utilities you can use the examples here for
ktutil and here for