Special Considerations for Kerberos
If your security policy uses Windows, you are using the Kerberos authentication domain. There are special considerations and setup steps for the Kerberos domains.
Additional Realm Settings
If you are using a security scheme with a Windows security realm, uncomment and specify values for the following properties in security.properties:
mks.security.kerberosRealmName
mks.security.kdcAddress
Troubleshooting
The following error messages may appear in log files or debugging information if Kerberos is not setup correctly.
|
To enable debugging, add mks.security.debug=true to security.properties.
|
• ERROR(0): No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
If this error message displays in the client-side log file, your mks.security.clientServiceName setting is not correct. Make the setting specifies the name of the user the Windchill RV&S Server is running as.
• ERROR(0): No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
If this error displays in the client-side log file, either the mks.security.kerberosRealmName or mks.security.kdcAddress setting is wrong, for example, the realm name is not entered in uppercase.
• DEBUG(10): Login exception encountered while attempting authentication of user ldaprealmtest1 via policy default-policy. Details of exception Pre-authentication information was invalid (24)
If this error message displays in the server log when trying to authenticate using either a windows_clear or windows_private security policy, the case is wrong in the mks.security.kerberosRealmName or mks.security.kdcAddress setting in security.properties.
• DEBUG(10): Login exception encountered while attempting authentication of user ldaprealmtest1 via policy default-policy. Details of exception Clock skew too great (37)
If this error message displays in the server log when trying to authenticate using either a windows_clear or windows_private security policy, the clock on the server is not synchronized with the clock on your client machines. For the Kerberos authentication domain to work, the server and client clocks must be synchronized (within a reasonable amount of time).
For additional troubleshooting information, visit the following Web page: