The Kerberos authentication method requires knowledge of the Kerberos protocol. Here's an example error message:
Problem
The following error is observed when the
vault login... command is executed in order to authenticate via the Kerberos authentication method: Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [USER_PRINCIPAL_HERE] realm: KERBEROS_REALM_HERE kvno: 0 etype: 17
USER_PRINCIPAL_HERE- The Kerberos user principal you are trying to log in as.KERBEROS_REALM_HERE- The Kerberos realm.
Cause
The above-mentioned error is a result of a missing key or not correctly used encryption type in the provided
keytab file to the Vault server via the keytab_path parameter.Solution
As stated above the error indicates a missing key in the provided
keytab file or an available key but not using the correct encryption. In order to resolve the error, a new keytab file should be generated. In Windows environments, the
ktpass command should be used.In Linux environments the
ktutil utility should be used.An important part of generating a new
keytab file is to understand the returned error, here's an example: kvno: 0 etype: 17.This indicates that you should use the latest
KVNO of the Kerberos principal and aes128-cts-hmac-sha1-96 encryption type when generating the new keytab. The number 17 corresponds to aes128-cts-hmac-sha1-96 encryption type.Note: You can review the other encryption types in the link below.
For specific instructions on the
ktpass and ktutil utilities you can use the examples here for ktutil and here for ktpass.