MustGather: SPNEGO problems on WebSphere traditional

Troubleshooting

Problem

This document describes the process for collecting data for problems with the SPNEGO component on IBM WebSphere® Application Server traditional. Gathering this MustGather information before you call IBM support can help you understand the problem and save time analyzing the data.

Resolving The Problem

Runtime:

This document is for collecting data for WEBSPHERE TRADITIONAL. If you want to collect data for Liberty, see MustGather: SPNEGO problems on WebSphere Liberty or click the Liberty tab above.

Read first and related MustGathers

MustGather: Read first for WebSphere Application Server and Liberty

EJB container problem Servlet engine and Web container problem Security problem

For a listing of all technotes, downloads, and educational materials specific to the Security component, search the WebSphere Application Server support portal.
Exchange data with IBM Support
To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files by using one of following methods to help speed problem diagnosis:
- Service Request (SR)
- Email
- FTP to the Enhanced Customer Data Repository (ECuRep)
Instructions for exchanging information with IBM Support
SPNEGO on WebSphere traditional trace specifications
- Java ™ Virtual Machine (JVM) properties:
  
  Name: com.ibm.security.jgss.debug
  Value: all
  
  Name: com.ibm.security.krb5.Krb5Debug
  Value: all
- Diagnostic trace specification:
  
  *=info:SecurityDomain=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.wsspi.security.*=all
Avoid Trouble: Trace specifications must be entered as one line with no breaks or spaces.
Diagnostic questions
Provide answers to the following diagnostic questions:
1. Obtain versions information:
  WebSphere Application Server version :
  Active Directory version :
  Client OS version :
2. What is the full web request URL accessed by the client browser?
3. Is the requested hostname a DNS alias (CNAME Record) or real hostname (A Record)?
4. What Active Directory user ID is used to map to the wanted SPN's?
  Provide a screen capture of the Active Directory User properties Account Tab for this user.
5. Provide the commands issued to create the keytab and SPN-mappings on the AD server.
  - If possible, also provide the command output.
6. Provide screen captures of SPN hostname filter entries in the WebSphere admin console.
7. Are more SPNEGO filter criteria being used?
  - If yes, what are they?
8. Find all SPN-mapping occurrences mapped to AD user names; on the Active Directory Server, run following command:
  
  C:\ldifde -f output.txt -r "(servicePrincipalName=HTTP/hostname.domain.com)"
  
  (hostname.domain.com is the same fully qualified hostname used in the web request by the client)
9. Are there any load balancers, firewalls, proxies, or web servers in the mix, or any devices/appliances between the client browser and WebSphere?
  - If so, provide basic login flow details with relevant topology involved.
10. Is this a single Active Directory domain or do you have trusted domains/forests?
  - Elaborate if the latter.
11. Screen captures of client browser SPNEGO settings.
12. Provide your krb5 config and keytab files.
13. Is SPNEGO configured within a security domain?
  - If so, provide the ../<profile_root>/config/waspolicies directory.
Collect data for WebSphere traditional (step by step)
This section is for collecting data for WEBSPHERE TRADITIONAL. If you want to collect data for Liberty click here or see the Liberty tab above.

Before you collect data, be sure to answer the Diagnostic questions in the section above.

You may choose to follow this step-by-step document or you can watch the video in the Collect data for WebSphere traditional (Video) section.

SPNEGO issues on WebSphere may be difficult to troubleshoot. Make sure to collect all the information below. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.
SET UP WEBSPHERE TRADITIONAL FOR SPNEGO TRACING

NOTE: If possible, when capturing the traces, attempt a re-create using the default application /snoop servlet instead of any custom application. This can help rule out any application issues and confirm if SPNEGO configuration is truly working or not.

Set up the JVM for SPNEGO tracing:
1. In the administrative console, navigate to Servers > Application Servers > server_name. Under Server Infrastructure, expand Java and process management. Click Process Definition > Java Virtual Machine > Custom Properties. Create two new Java ™ Virtual Machine (JVM) properties:
  
  Name: com.ibm.security.jgss.debug
  Value: all
  
  Name: com.ibm.security.krb5.Krb5Debug
  Value: all
Set up the WebSphere traditional for SPNEGO tracing:
1. Expand TroubleShooting > Logs and Trace > server_name.
2. Click Diagnostic Trace Service. Increase the Maximum Number of Historical Files from 1 to 10.
3. Click Apply, then click Change Log Detail Levels.
4. Clear the trace string in the box and replace it with the following trace string:
  
  *=info:SecurityDomain=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
5. Click Apply, and Save.
COLLECT WEBSPHERE TRADITIONAL SPNEGO TRACES

Stop the server and clean the logs, re-create the issue, so we have a fresh and concise set of information
1. Stop the server and delete or rename all the logs in the profile_home/logs directory. Then restart the server.
2. Reproduce the problem, making note of the following information:
  
  Time when the problem occurs
  The client user ID which logged in to the Microsoft Domain
  The Microsoft Domain name itself
  The exact URL being invoked.
GATHER WEBSPHERE TRADITIONAL SPNEGO DATA TO SEND TO IBM SUPPORT
- Run the Collector Tool, which is located in the profile_home/bin directory, on both Network Deployment (for federated environment only) and base Application Server profiles.
Collect data for WebSphere traditional (Video)

This section is for collecting data for Problems with SPNEGO on WebSphere traditional. If you want to collect data for Problems with SPNEGO on WebSphere Liberty click here or see the Liberty tab above.

Before you collect data, be sure to answer the Diagnostic questions in the section above.

You may choose to watch this video or follow the step-by-step instructions in the Collect data for WebSphere traditional (step by step) section.

SPNEGO issues on WebSphere may be difficult to troubleshoot. Make sure to collect all the information described in the video. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

The following video goes over the necessary steps to collect data for a SPNEGO problem on WebSphere traditional.

Name: com.ibm.security.jgss.debug Value: all Name: com.ibm.security.krb5.Krb5Debug Value: all

=info:SecurityDomain=all:com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.wsspi.security.=all

C:\ldifde -f output.txt -r "(servicePrincipalName=HTTP/hostname.domain.com)"

Name: com.ibm.security.jgss.debug Value: all Name: com.ibm.security.krb5.Krb5Debug Value: all

=info:SecurityDomain=all:com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.=all

Time when the problem occurs The client user ID which logged in to the Microsoft Domain The Microsoft Domain name itself The exact URL being invoked.

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.

Related Information

MustGather: Read first for WebSphere Application Server and Liberty

Submitting information to IBM support

WebSphere Application Server support

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5;8.0;7.0","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7JFU","label":"WebSphere Application Server - Express"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Tips

MustGather: SPNEGO problems on WebSphere traditional

Troubleshooting

Problem

Resolving The Problem

Runtime:

SET UP WEBSPHERE TRADITIONAL FOR SPNEGO TRACING

COLLECT WEBSPHERE TRADITIONAL SPNEGO TRACES

GATHER WEBSPHERE TRADITIONAL SPNEGO DATA TO SEND TO IBM SUPPORT

Note:

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?