Troubleshooting Kerberos and Kerberos SSO
This section provides information on troubleshooting Kerberos and Kerberos SSO.
The following error messages may appear in log files or debugging information if the Kerberos or Kerberos SSO has not been set up correctly.
|
To turn debugging on, add mks.security.debug=true to security.properties.
|
• ERROR(0): No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)).
If this error message appears in the client side log file, your mks.security.clientServiceName setting is not correct. Make sure it is set to be the name of the user the Windchill RV&S server is running as.
• WARNING(0): The registry key required to support Kerberos Single-Sign-On is missing. You may wish to add them manually.
WARNING(0): Integrity Server does not allow registry key to be automatically added. Either add the key manually or consult your Integrity Server administrator.
WARNING(0): On Windows Server 2000 and 2003 the key "allowtgtsessionkey" in HKEY_LOCAL_MACHINESystem\CurrentControlSet\ Control\Lsa\Kerberos\Parameters with value 1 should be added (reboot may be required).
If any of these error messages appear in the client side log file, the client side registry key is missing.
• ERROR(0): No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket).
If this error appears in the client side log file, either the mks.security.kerberosRealmName or mks.security.kdcAddress setting is wrong, for example, the realm name is not entered in uppercase.
• 15:52:35,661 INFO [IntegrityServer] DEBUG(10): Login exception encountered while attempting authentication of user kmorton via policy default-policy. Details of exception No valid credentials provided (Mechanism level: Failed to find any Kerberos Key).
If this error message appears in the server side log file, the mks.security.SPN setting does not match the -princ option given in the ktpass command.
• 17:37:03,208 INFO [STDOUT] error Message is Client not found in Kerberos database.
If this error message appears in the Kerberos debug information, there is a problem with the keytab file. It may contain an invalid principal name, or the mks.security.SPN setting may not match the -princ option given in the ktpass command.
• DEBUG(10): Login exception encountered while attempting authentication of user ldaprealmtest1 via policy default-policy. Details of exception Pre-authentication information was invalid (24).
If this error message appears in the server log when trying to authenticate using either a windows_clear or windows_private security policy, the case is wrong in the mks.security.kerberosRealmName or mks.security.kdcAddress setting in security.properties.
• DEBUG(10): Login exception encountered while attempting authentication of user ldaprealmtest1 via policy default-policy. Details of exception Clock skew too great (37).
If this error appears in the server log when trying to authenticate using either a windows_clear or windows_private security policy, the clock on the server is not synchronized with the clock on the client machines. For the Kerberos authentication domain to work, the server and client clocks must be synchronized (within a reasonable amount of time).
For additional troubleshooting information, visit the following Web page: