Troubleshooting Kerberos authentication

To enable Kerberos logging, set the system property sun.security.krb5.debug to true. This setting allows you to monitor the execution of the Kerberos V5 protocol.

A Kerberos service ticket is passed as a header value in the http request. The default maximum header size value in Apache Tomcat is 4096 (equal to 4 KB). At the same time, under some circumstances, the size of the header containing the Kerberos service ticket could reach 28 KB. This large size causes the logon to fail and the browser to display an error message, because Tomcat does not respond to such requests.

To fix this issue, specify a maxHttpHeaderSize attribute on the http connector, and set a value (in bytes) that is large enough to accommodate the header size.

Enabling Kerberos logging on a specific computer

Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 can trace detailed Kerberos events through the event log mechanism. You can use these event logs when you troubleshoot Kerberos, particularly when you need to find service principal name (SPN) lookup problems.

1. Start Registry Editor (Regedt32.exe).
2. Add the following registry value:
   

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

   (If the Parameters subkey does not exist, create it.)
3. Add the following registry value:
   
   • Value Name: LogLevel
   • Data Type: REG_DWORD
   • Value: 1

When Kerberos is chained together with LDAP or AR for authentication and when you use Internet Explorer (IE) to enter your logon credentials, the authentication fails.

To resolve this issue, from the client side:

1. Start Registry Editor (Regedt32.exe).
2. Find the following registry key:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
3. Add the following registry value to the key:

• • Value Name: DisableNTLMPreAuth
• • Data Type: REG_DWORD
  • Value: 1
    
    

The Kerberos service ticket is passed as a header value in the http request. Though the default maximum header size in tomcat is 4096 (4KB), under some circumstances the header size may go up to 28 KB. The login fails because of the large size, and the browser displays an error message because Tomcat does not respond to such requests.

To fix this issue, specify a maxHttpHeaderSize attribute on the https connector and set a large enough value in bytes.

The following error messages indicate a possible failure due to a discrepancy between the service principal name in the keytab file and the actual service principal name in the TGS or Active Directory. This error is caused when the service principal in the TGS is renamed without updating the keytab file.

To fix this issue, validate the name (case-sensitive) and re-generate the keytab file if the service principal name has been changed.

amAuthWindowsDesktopSSO:06/28/2011 04:24:33:854 PM CDT: Thread[http-8443-1,5,main]

New Service Login ...

amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main]

ERROR: Service Login Error:

amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main]

Stack trace:

javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)

    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

This exception failure is generated in the logs when the keytab file is generated with a KVNO value different from the one specified in the ticket.

To fix this issue, regenerate the keytab file and specify the /kvno 0 option to ensure compatibility of the KVNO value.

amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main]

Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication.

Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))