How to resolve Kerberos Contrained Delegation Error (KCD)

Workspace ONE Certificate Based Authentication with On Premise Exchange Server might not work as expected.

The easiest way to check the configuration, is to use the VMware-KCD-Client tool, under the SEG for Windows installation folder or on UAG – depending on your setup.

If you are encountering the following error while testing with the tool, it might be related to a missing patch on your Domain Controllers.

“ERROR: KRB5Client::constrained_delegate failed, error( – KRB5Client: gss_init_sec_context: Message stream modified
and minor code -1765328343″

Here are the links for the related patch:

Windows Server 2012 R2

https://support.microsoft.com/en-us/topic/kb5008603-authentication-fails-on-domain-controllers-in-certain-kerberos-scenarios-on-windows-server-2012-r2-1beea7a1-9a3c-48dd-a56d-c3cc3f5d0d50

Windows Server 2016

https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9

Windows Server 2019

https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7

Advertisement