This article will explain how to resolve an issue where the user is getting a 401 Error when trying to access an IIS application via OAG. This specific scenario also correlates with the OAG logging error Server not found in Kerberos database.
This article assumes that higher-level configuration issues have been ruled out, for example, the Kerberos realm is showing as "Valid" in the OAG Settings panel, and the Kerberos simulator is successful.
For more details on these items, please review:
OAG Log:
information, client: 10.43.85.11, server: gw-iis.nbcorp.us, request: "GET / HTTP/2.0", host: "gw-iis.nbcorp.us", referrer: "https://nbcorp.okta.com/ "
2023-06-16T12:55:56.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us LWxmOLdK4: 2023/06/16 12:55:56 [error] 4056#0: *637 [lua] authSession.lua:1444: Minor ERR:Server not found in Kerberos database, client: 10.43.8
5.11, server: gw-iis.nbcorp.us, request: "GET / HTTP/2.0", host: "gw-iis.nbcorp.us", referrer: "https://nbcorp.okta.com/ "
- Okta Access Gateway (OAG)
- Kerberos/IIS Application
OAG internally expects the name of the header being used to authenticate the user to be "iwa_username", as in this example.
If the name of this header is set to any other value, OAG will not be able to properly request the Kerberos ticket from KDC. It might be seen the KDC rejects OAG's Kerberos ticket request with Error KDC_ERR_C_PRINCIPAL_UNKNOWN as in this example packet capture.
