cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

For AppPortal, raised encryption standards on KDC server require extra AD account configuration

jasonlu
By Level 7 Champion
Level 7 Champion

If the environment's Active Directory KDC server has raised encryption levels, then any AD account, including the AppPortal service account, will require the "This account supports Kerberos AES 256 bit encryption" option to be checked ON in the AD user object.

If this is not done, then a number of symptoms can be seen:

1) user specifc logs in \Program Files (x86)\Flexera Software\App Portal\Logs\UserLog will show an error like:

Unable to detetct group membership for user : DOMAIN\USERACCOUNT The encryption type requested is not supported by the KDC.


2) IIS logs will show that the user can authenticate to the AppPortal UI, but when clicking through to parts of the configuration the following notification will be seen on the main pane:

You do not have access to this area.

 


I found this while testing AppPortal 2021R2, however I believe the behaviour is the same across other versions.


Further reading:
https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/configuration-to-support-kerberos-aes-encryption

 

 

jasonlu_6-1635463029568.png

 

jasonlu_7-1635463155796.png

 

 

 
 

 

 

 

(1) Solution

See original post for "answer".

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".

View solution in original post

(1) Reply

See original post for "answer".

Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".