Preauth module pkinit (16) (real) returned: -1765328360/Failed to verify own certificate (depth 1): unable to get issuer certificate

0 users found this article helpful

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

2022-02-14 12:49:09.882751 someawinguhost awingu-worker-smc.service[manage.py:2374]: Using specified cache: /etc/awingu/domains/WORKSPACEDOMAIN/fc141ec7-42d9-4f26-ad19-b8acf63e2bef/kerberos/kerberos_credentials_cache
Using principal: someuser\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/WORKSPACEDOMAIN/fc141ec7-42d9-4f26-ad19-b8acf63e2bef/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/fc141ec7-42d9-4f26-ad19-b8acf63e2bef/private_key.pem
[5364] 1644842949.779348: Getting initial credentials for someuser\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
[5364] 1644842949.779350: Sending unauthenticated request
[5364] 1644842949.779351: Sending request (213 bytes) to SOMEDOMAIN.ORG
[5364] 1644842949.779352: Resolving hostname somehost.SOMEDOMAIN.ORG
[5364] 1644842949.779353: Sending initial UDP request to dgram 10.1.2.3:88
[5364] 1644842949.779354: Received answer (200 bytes) from dgram 10.1.2.3:88
[5364] 1644842949.779355: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[5364] 1644842949.779356: No URI records found
[5364] 1644842949.779357: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[5364] 1644842949.779358: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[5364] 1644842949.779359: No SRV records found
[5364] 1644842949.779360: Response was not from master KDC
[5364] 1644842949.779361: Received error from KDC: -1765328359/Additional pre-authentication required
[5364] 1644842949.779364: Preauthenticating using KDC method data
[5364] 1644842949.779365: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[5364] 1644842949.779366: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[5364] 1644842949.779367: PKINIT loading CA certs and CRLs from FILE
[5364] 1644842949.779368: PKINIT client computed kdc-req-body checksum 9/424B82E19240914705219CFBD9A765A20103B5F7
[5364] 1644842949.779370: PKINIT client making DH request
[5364] 1644842949.779371: PKINIT OpenSSL error: Failed to verify own certificate (depth 1): unable to get issuer certificate
[5364] 1644842949.779372: Preauth module pkinit (16) (real) returned: -1765328360/Failed to verify own certificate (depth 1): unable to get issuer certificate
[5364] 1644842949.779373: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
[5364] 1644842949.779374: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
[5364] 1644842949.779375: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
[5364] 1644842949.779376: Retrying AS request with master KDC
[5364] 1644842949.779377: Getting initial credentials for someuser\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
[5364] 1644842949.779379: Sending unauthenticated request
[5364] 1644842949.779380: Sending request (213 bytes) to SOMEDOMAIN.ORG (master)
[5364] 1644842949.779381: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[5364] 1644842949.779382: No URI records found
[5364] 1644842949.779383: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[5364] 1644842949.779384: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[5364] 1644842949.779385: No SRV records found
kinit: Pre-authentication failed: Failed to verify own certificate (depth 1): unable to get issuer certificate while getting initial credentials

Important note: the certificate depth may be a different number, depending on how many certificates there are in the certificate chain.

Cause

Parallels Secure Workspace is unable to get the issuer's certificate of one of the certificates it uses for authentication.

Resolution

Recreate and upload the "Trusted CA roots" file (System Settings > Configure > User Connector: Federated Authentication). Make sure to include intermediate CAs.

Was this article helpful?

Tell us how we can improve it.