The Kerberos authentication method requires knowledge of the Kerberos protocol. Here's an example error message:
Problem
The following error is observed when the
vault login...
command is executed in order to authenticate via the Kerberos authentication method: Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [USER_PRINCIPAL_HERE] realm: KERBEROS_REALM_HERE kvno: 0 etype: 17
USER_PRINCIPAL_HERE
- The Kerberos user principal you are trying to log in as.KERBEROS_REALM_HERE
- The Kerberos realm.
Cause
The above-mentioned error is a result of a missing key or not correctly used encryption type in the provided
keytab
file to the Vault server via the keytab_path parameter.Solution
As stated above the error indicates a missing key in the provided
keytab
file or an available key but not using the correct encryption. In order to resolve the error, a new keytab
file should be generated. In Windows environments, the
ktpass
command should be used.In Linux environments the
ktutil
utility should be used.An important part of generating a new
keytab
file is to understand the returned error, here's an example: kvno: 0 etype: 17
.This indicates that you should use the latest
KVNO
of the Kerberos principal and aes128-cts-hmac-sha1-96
encryption type when generating the new keytab. The number 17
corresponds to aes128-cts-hmac-sha1-96
encryption type.Note: You can review the other encryption types in the link below.
For specific instructions on the
ktpass
and ktutil
utilities you can use the examples here for ktutil
and here for ktpass
.