Disable kerberos keys when eating problems SecureCRT and SecureFX

Note:Sometimes, an ssh connection attempt with the SecureCRT program or an sftp connection attempt with the SecureFX program running on Windows will fail to connect with this error message:

Internal credentials cache error (Kerberos error 196)

This error can happen when SecureCRT or SecureFX tries to forward your kerberos credential from your login to Windows to the remote system to authenticate you, and the remote system does not accept kerberos authentication. To work-around this error, you must disable the use of kerberos key exchange to that server, as shown in this note.

SecureCRT and SecureFX are companion programs and work the same way. The screen-shots shown here are from SecureCRT. Use the same method for SecureFX.

Key exchange methods are set on a per-session basis. You must first define a session for your connection before you can disable kerberos key exchange. When you open theSecureCRT (or SecureFX) program, it normally brings up the Connect dialog box, as shown below. If not, select it from the "File" menu.

If you do not have a session defined for your intended destination, click on the third icon from the left, which is the "New Session" button, shown circled in red in the the screenshot above. This brings up a "New Session Wizard" where you can define basic session parameters. Leave all configurations (SSH2 and SFTP) at their default values and just fill in the "Hostname" field. The wizard will then add this newly defined session to your session menu list.

Now that you have defined a session for this server, right-click on its name in the "Connect" window and select "Properties" from the contextual menu, as shown below:

This opens the "Session Options" window, as shown below:

The left side of "Session Options" is a menu of all the options you can configure. Click on "SSH2". This will bring up the SSH2 connection options, as shown in the screenshot above. The "Key exchange" section on the right shows all the possible key exchange methods thatSecureCRT or SecureFX will try. By default, they are all checked (enabled). UNcheck (disable) the two options labelled Kerberos and Kerberos w/ Group Exchange. Close the "Session Options" window and continue with your connection.

This new setting will persist for your account on this computer, until such time as the lab computers are rebuilt with a new software image at the end of the quarter.