Troubleshooting Kerberos authentication
When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC Atrium Single Sign-On server. Headers help identify failure points.
The following commands are useful for troubleshooting:
klist tickets
lists open tickets with TGSklist purge
closes tickets with TGS
Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when message level debugging is configured.
The following troubleshooting topics are addressed here:
- Invalid user name for Kerberos authentication
- Invalid service principal name for Kerberos authentication
- Invalid keytab index number for Kerberos authentication
- Invalid password for Kerberos authentication
- Incorrect server name for Kerberos authentication
- Browser sending NTLM instead of Kerberos
- Browser not correctly configured for Kerberos authentication
- Clock skew too great for Kerberos authentication
- Chained authentication failure in Microsoft Internet Explorer
- Limited Kerberos service tickets size issue
- krb5.ini file issues
- Enabling debug logging in BMC Atrium SSO server
Comments
Log in or register to comment.