OmniauthKerberosSpnegoController: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested

Overview

A number of customers are reporting issue when using the kerberos integrations.

Specifically they receive the following exception when attempting to negotiate authentication.

Processing by OmniauthKerberosSpnegoController#negotiate as HTML
OmniauthKerberosSpnegoController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error

This exception can be found in the GSSAPI code https://github.com/zenchild/gssapi/blob/master/lib/gssapi/simple.rb#L137

Various resourcse only suggest this could be caused by a number of issues:

• Incorrectly generated keytab
• DNS issues with the kerberos server records

Resources

• http://stackoverflow.com/a/20143113
• http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html
• https://github.com/stnoonan/spnego-http-auth-nginx-module/issues/15
• http://serverfault.com/questions/351594
• http://serverfault.com/a/620555
• https://serverfault.com/a/753956
• https://community.hortonworks.com/questions/73846/spnego-issue-after-setting-up-mit-kdc-one-way-trus.html

Tickets

• https://gitlab.zendesk.com/agent/tickets/74212
  • https://gitlab.zendesk.com/agent/tickets/63987
• https://gitlab.zendesk.com/agent/tickets/74261