KRBError: KDC cannot accommodate requested option - when Constrained Delegation is Enabled

Question

Having got an SSO solution fully working using Spnego/Kerberos within a Windows Tomcat environment which allows my windows domain user to be used to make a connection to an IBMi via JTOpen which then uses EIM to map my Windows user to an IBM user to log me into the IBMi.

I have two SPN's setup on the KDC with Delegation to any Kerberos Service enabled:

HTTP/windows.mydomain@MYDOMAIN
krbsvr400/ibmi.mydomain@MYDOMAIN

Having then enabled Constrained Delegation on the KDC for:

HTTP/windows.mydomain@MYDOMAIN

I end up with this Kerberos Error right at the point of making the connection to the IBMi:

>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
     sTime is Thu Jun 16 21:06:47 BST 2022 1655410007000
     suSec is 417830
     error code is 13
     error Message is KDC cannot accommodate requested option
     sname is krbsvr400/ibmi.mydomain@MYDOMAIN
     eData provided.
     msgType is 30
Unknown eData field of KRB-ERROR:
0000: 30 15 A1 03 02 01 03 A2   0E 04 0C 25 02 00 C0 00  0..........%....
0010: 00 00 00 03 00 00 00                               .......

so far I have not been able to move forward passed this Kerberos Error.

Answer 1

I was facing the same issue with the same output.
Is your KDC server running on Server 2012 or older?
In my case the solution was to change SPN's setup on the KDC. Instead of Delegation to any Kerberos Service try using an option "Trust the user for delegation to specified services only" and then "Use any authentication protocol" put your service:
krbsvr400/ibmi.mydomain@MYDOMAIN
on the list

Check this article about issues with constrained delegation

So you should check wether your KDC operates on the system that supports constrained delegation. If yes, try changing the trust options mentioned above.