Troubleshooting Kerberos authentication
When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC Atrium Single Sign-On server. Headers help identify failure points.
The following commands are useful for troubleshooting:
klist tickets
lists open tickets with TGSklist purge
closes tickets with TGS
Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when message level debugging is configured.
The following is the list of specific Kerberos issues:
- Invalid user name for Kerberos authentication
- Invalid service principal name in Kerberos authentication
- Invalid KVNO for Kerberos authentication
- Invalid password for Kerberos authentication
- Incorrect server name for Kerberos authentication
- Browser sending NTLM instead of Kerberos
- Browser not correctly configured for Kerberos authentication
- Clock skew too great for Kerberos authentication
- Chained authentication failure in Microsoft Internet Explorer
- Using the krb5.conf file
- Enabling debug logging in BMC Atrium Single Sign-On server
Generic Kerberos authentication issues
The following table describes troubleshooting issues related to Kerberos authentication.
Note
Press 'F' to view the entire table.
Issue | Description |
---|---|
Enabling Kerberos logging in JVM through system properties | To enable Kerberos logging, set the system property |
Increasing HTTP header size in Tomcat | A Kerberos service ticket is passed as a header value in the http request. The default maximum header size value in Apache Tomcat is 4096 (equal to 4 KB). At the same time, under some circumstances, the size of the header containing the Kerberos service ticket could reach 28 KB. This large size causes the logon to fail and the browser to display an error message, because Tomcat does not respond to such requests. To fix this issue, specify a maxHttpHeaderSize attribute on the http connector, and set a value (in bytes) that is large enough to accommodate the header size. |
Enabling Kerberos logging on a specific computer | Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 can trace detailed Kerberos events through the event log mechanism. You can use these event logs when you troubleshoot Kerberos, particularly when you need to find service principal name (SPN) lookup problems.
|
Chained authentication modules failure for Internet Explorer | When Kerberos is chained together with LDAP or AR for authentication and when you use Internet Explorer (IE) to enter your logon credentials, the authentication fails. To resolve this issue, from the client side:
|
Increasing HTTP header size in Tomcat | The Kerberos service ticket is passed as a header value in the http request. Though the default maximum header size in tomcat is 4096 (4KB), under some circumstances the header size may go up to 28 KB. The login fails because of the large size, and the browser displays an error message because Tomcat does not respond to such requests. To fix this issue, specify a maxHttpHeaderSize attribute on the https connector and set a large enough value in bytes. |
Invalid service principal name for Kerberos authentication | The following error messages indicate a possible failure due to a discrepancy between the service principal name in the keytab file and the actual service principal name in the TGS or Active Directory. This error is caused when the service principal in the TGS is renamed without updating the keytab file. To fix this issue, validate the name (case-sensitive) and re-generate the keytab file if the service principal name has been changed. amAuthWindowsDesktopSSO:06/28/2011 04:24:33:854 PM CDT: Thread[http-8443-1,5,main] New Service Login ... amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] Stack trace: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) |
Invalid keytab index number for Kerberos authentication | This exception failure is generated in the logs when the keytab file is generated with a KVNO value different from the one specified in the ticket. To fix this issue, regenerate the keytab file and specify the /kvno 0 option to ensure compatibility of the KVNO value. amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main] Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication. Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44)) |
Comments
Log in or register to comment.