[SOLVED] Unspecified GSS failure: ... kvno [Number] found in keytab but not with enctype rc4-hmac

Unspecified GSS failure: ... kvno [Number] found in keytab but not with enctype rc4-hmac

I am trying to run a code that verifies an Authorization token from the client. I wrote this code inside an function:

 host = 'site_address'
state = None
service_name = f'HTTP@{host}'
try:
    rc, state = kerberos.authGSSServerInit(service_name)
    if rc != kerberos.AUTH_GSS_COMPLETE:
        return None
    rc = kerberos.authGSSServerStep(state, token)   <<<<< !!! ERROR !!!
    if rc == kerberos.AUTH_GSS_COMPLETE:
        self.kerberos_token = kerberos.authGSSServerResponse(state)
        self.kerberos_user = kerberos.authGSSServerUserName(state)
        return rc
    elif rc == kerberos.AUTH_GSS_CONTINUE:
        return kerberos.AUTH_GSS_CONTINUE
    else:
        return None
except kerberos.GSSError as error:
    LOGGER.error('Failed to perform the token verification due to %s', error)
    return None
finally:
    if state:
        kerberos.authGSSServerClean(state)

But the code fails at rc = kerberos.authGSSServerStep(state, token) (Marked the line in the code) with this error:

GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Request ticket server HTTP/<site_address>@<realm_name> kvno 4 found in keytab but not with enctype rc4-hmac', 100005))

Also thrown this error to the screen:

[3302] 1547638447.877515: Failed to decrypt AP-REQ ticket: -1765328340/Request ticket server HTTP/base.testing.gc@TESTING.GC kvno 4 found in keytab but not with enctype rc4-hmac

My question is: why do I receive this message? My user that is configures in the Active Directory is marked with the This account supports Kerberos AES 256 bit encryption enabled and the keytab file created with the /crypto AES256-SHA1 enctype.

Why is my server (docker on ubuntu machine- Ubuntu 18.04) is trying to dcrypt this with rc4-hmac enctype? How to I fix it?

Edit Maybe my question should be: who tells me in which enctype should I read the keytab?

Solution

For me it was the trust configuration of the browser- should have add the site to the browser's trusted sites (Internet Options -> Security -> Local Internet -> Sites -> Add the site with the exact port, http/https and **address*).

For some weird reason, the instruction of the enctype are in the token's header... or there is some kind of fallback to this encryption.