This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Troubleshooting Kerberos authentication

When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC Atrium Single Sign-On server. Headers help identify failure points.

The following commands are useful for troubleshooting:

  • klist tickets lists open tickets with TGS
  • klist purge closes tickets with TGS

Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when message level debugging is configured.

The following is the list of specific Kerberos issues:

Generic Kerberos authentication issues

The following table describes troubleshooting issues related to Kerberos authentication.

Note

Press 'F' to view the entire table.

IssueDescription
Enabling Kerberos logging in JVM through system properties

To enable Kerberos logging, set the system property sun.security.krb5.debug to true. This setting allows you to monitor the execution of the Kerberos V5 protocol.

Increasing HTTP header size in Tomcat

A Kerberos service ticket is passed as a header value in the http request. The default maximum header size value in Apache Tomcat is 4096 (equal to 4 KB). At the same time, under some circumstances, the size of the header containing the Kerberos service ticket could reach 28 KB. This large size causes the logon to fail and the browser to display an error message, because Tomcat does not respond to such requests.

To fix this issue, specify a maxHttpHeaderSize attribute on the http connector, and set a value (in bytes) that is large enough to accommodate the header size.

Enabling Kerberos logging on a specific computer

Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 can trace detailed Kerberos events through the event log mechanism. You can use these event logs when you troubleshoot Kerberos, particularly when you need to find service principal name (SPN) lookup problems.

  1. Start Registry Editor (Regedt32.exe).
  2. Add the following registry value:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    (If the Parameters subkey does not exist, create it.)
  3. Add the following registry value:
    • Value Name: LogLevel
    • Data Type: REG_DWORD
    • Value: 1
Chained authentication modules failure for Internet Explorer

When Kerberos is chained together with LDAP or AR for authentication and when you use Internet Explorer (IE) to enter your logon credentials, the authentication fails.

To resolve this issue, from the client side:

  1. Start Registry Editor (Regedt32.exe).
  2. Find the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  3. Add the following registry value to the key:
    • Value Name: DisableNTLMPreAuth
    • Data Type: REG_DWORD
    • Value: 1

Increasing HTTP header size in Tomcat

The Kerberos service ticket is passed as a header value in the http request. Though the default maximum header size in tomcat is 4096 (4KB), under some circumstances the header size may go up to 28 KB. The login fails because of the large size, and the browser displays an error message because Tomcat does not respond to such requests.

To fix this issue, specify a maxHttpHeaderSize attribute on the https connector and set a large enough value in bytes.

Invalid service principal name for Kerberos authentication

The following error messages indicate a possible failure due to a discrepancy between the service principal name in the keytab file and the actual service principal name in the TGS or Active Directory. This error is caused when the service principal in the TGS is renamed without updating the keytab file.

To fix this issue, validate the name (case-sensitive) and re-generate the keytab file if the service principal name has been changed.

amAuthWindowsDesktopSSO:06/28/2011 04:24:33:854 PM CDT: Thread[http-8443-1,5,main]
New Service Login ...
amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main]
ERROR: Service Login Error:
amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main]
Stack trace:
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
Invalid keytab index number for Kerberos authentication

This exception failure is generated in the logs when the keytab file is generated with a KVNO value different from the one specified in the ticket.

To fix this issue, regenerate the keytab file and specify the /kvno 0 option to ensure compatibility of the KVNO value.

amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main]
Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication.
Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
Was this page helpful? Yes No Submitting... Thank you

Comments