Solved: For AppPortal, raised encryption standards on KDC server require extra AD account configuration

jasonlu · ‎Oct 28, 2021

If the environment's Active Directory KDC server has raised encryption levels, then any AD account, including the AppPortal service account, will require the "This account supports Kerberos AES 256 bit encryption" option to be checked ON in the AD user object.

If this is not done, then a number of symptoms can be seen:

1) user specifc logs in \Program Files (x86)\Flexera Software\App Portal\Logs\UserLog will show an error like:

Unable to detetct group membership for user : DOMAIN\USERACCOUNT The encryption type requested is not supported by the KDC.

2) IIS logs will show that the user can authenticate to the AppPortal UI, but when clicking through to parts of the configuration the following notification will be seen on the main pane:

You do not have access to this area.

I found this while testing AppPortal 2021R2, however I believe the behaviour is the same across other versions.

Further reading:
https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/configuration-to-support-kerberos-...

jdempsey · ‎Dec 27, 2021

See original post for "answer".

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

jdempsey · ‎Dec 27, 2021

See original post for "answer".

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".