The agent has rejected an attempt by the emake client to authenticate itself.
If our policy was instead to simply drop the agent connection, then attackers could reasonably infer that a dropped connection means authentication failure, because other explanations (such as network connectivity interruptions) are much less likely.
Thus in order to convincingly hide authentication rejection, we would have to provide a convincing simulation of authentication success. The more convincing a simulation, the more computational resources it would consume, and the more confusing it would be to legitimate users and administrators when authentication fails by accident. At least for now, it seems better to focus on detecting actual vulnerabilities, rather than confusing attackers into wasting effort on secure systems.
Various causes are possible. Check the agent logs for details—for security reasons the agent intentionally withholds the details of the failure.
In particular, if on Linux you see "
Security Error: gss_accept_sec_context: GSSAPI Minor Status 0x2: No such file or directory" in the agent log, then you may need to install a keytab or tell the agent where to find it.
The fix will depend upon the cause, but be suspicious because most innocent causes of failure do not trigger this error—they are much more likely to trigger EC1171.