I am having an issue where I am getting a prompt from SEM web gui to provide my credentials. I provide credentials (we use both tokens and passwords). It does not fail unless I close the prompt. LDAP works fine.
I have a CA that I signed the ssl Certificate with. The SEM name is sem.domain (This is an offline domain). The sem console has the correct domain and IP configurations.
I was successful in creating a keytab with the following:
\ktpass.exe -princ HTTP/sem.domain -pass *** -mapuser domain\sem -pType KRB5_NT_PRINCIPAL -crypto ALL -Out c:\Keytab\sem.keytab
I also tried to change it to AES256 since the DISA STIG requires atleast AES128. But I still get the issue.
I transported the keytab via the domain sysvol share to the SEM server.
The watchlog (Manager menu in CMC console) shows that there is a Kerberos checksum issue before I even select an account to log in with at the prompt.