Centrify DirectControl 4.4.3 or below on all platforms with Windows 2003 domains
Users from Forest A unable to login to machines that are joined to Forest B. In the network trace, the error shows:
When requesting host/hostname.mydomain.com with krbtgt/mydomain.com ... it was rejected for KRB5KDC_ERR_POLICY (12).
Status c0000413 is STATUS_AUTHENTICATION_FIREWALL_FAILED Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0xC - KDC_ERR_POLICY: KDC policy rejects request Associated internal Windows error codes
KDC_ERR_POLICY is usually the result of logon restrictions in place on a user’s account. This error is usually accompanied by an error packet which might contain additional information that can be viewed with a Network Monitor capture.
The machine account hostname in Forest B must have "allow to authenticate" permission marked for the user or the group from Forest A.
Note: below are more possible causes and resolutions found from the web that you may find it helpful:
• KDC_ERR_POLICY is usually the result of logon restrictions in place on a user’s account. This error is usually accompanied by an error packet which might contain additional information that can be viewed with a Network Monitor capture.
Use Active Directory Users and Computers to verify whether restrictions in place on this account might prevent this user from logging on. To use Active Directory Users and Computers:
1. Click Start; click Run, and then type: dsa.msc
2. Locate the user that is having logon problems, right-click the user’s account, and then click Properties.
3. Verify settings on the Account tab for valid logon hours and computer to which this user is allowed to log on.
• Constrained delegation is being attempted across multiple domains.
No resolution. Windows Server 2003 does not support constrained delegation across multiple domains.
• The server receives a ticket in which client’s realm does not match the local realm.
Confirm the error with a Network Monitor capture. The only way to eliminate this error is to ensure that the server and client are in the same realm (domain).
For more information, refer to the following links: