IBM Support

MustGather: Problems with SPNEGO on WebSphere Application Server

Technote (troubleshooting)


Problem(Abstract)

Collecting data for problems with the IBM WebSphere® Application Server SPNEGO component. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.

Resolving the problem

This document describes the process for collecting data for problems with the IBM WebSphere® Application Server SPNEGO component. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.


Tab navigation

Profile:


This document is for collecting data for the FULL PROFILE. If you want to collect data for the Liberty profile, see MustGather: Problems with SPNEGO on Liberty or click on the Liberty tab above.

Read first and related MustGathers


For a listing of all technotes, downloads, and educational materials specific to the Security component, search the WebSphere Application Server support site.

Exchanging data with IBM Support

To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities to be used in problem determination. You can submit files using one of following methods to help speed problem diagnosis:


SPNEGO on WebSphere Application Server trace specifications


  • Java ™ Virtual Machine (JVM) properties:
    Name: com.ibm.security.jgss.debug
    Value: all

    Name: com.ibm.security.krb5.Krb5Debug
    Value: all
          Avoid Trouble: Trace specifications must be entered as one line with no breaks or spaces.

  • Diagnostic trace specification:
    *=info:SecurityDomain=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all

Diagnostic Questions

Please provide answers to the following diagnostic questions:

  1. Versions:
    WebSphere Application Server version :
    Active Directory version :
    Client OS version :
  2. What is the full web request URL accessed by the client browser ?
  3. Is the requested hostname a DNS alias (CNAME Record) or real hostname (A Record) ?
  4. What Active Directory userID is used to map to the desired SPN's ?
    Provide a screen shot of the Active Directory User properties Account Tab for this user.
  5. Please provide the commands issued to create the keytab and SPN mappings on the AD server. If possible, also provide the command output.
  6. Provide screen shot's of SPN hostname filter entries in the WebSphere admin console.
  7. Are additional SPNEGO filter criteria being used ? If yes, what are they ?
  8. Find all SPN mapping occurrences mapped to AD user names:
    On the Active Directory Server, run following command:
    C:\ldifde -f output.txt -r "(servicePrincipalName=HTTP/hostname.domain.com)"

    (hostname.domain.com is the same fqdn hostname used in the web request by the client)

  9. Are there any load balancers, firewalls, proxies, or web servers in the mix, or any devices/appliances between the client browser and WebSphere ? If so, would you please provide basic login flow details with relevant topology involved.
  10. Is this a single Active Directory domain or do you have trusted domains/forests ? Please elaborate if the latter.
  11. Screen hostshots of client browser SPNEGO settings.
  12. Also provide your krb5 config and keytab files.
  13. Is SPNEGO configured within a security domain ? If so, please provide the ../<profile_root>/config/waspolicies directory.

Collecting data manually for Problems with SPNEGO on WebSphere Application Server (Step-by-Step)


This section is for collecting data for Problems with SPNEGO on WebSphere Application Server. If you want to collect data for Problems with SPNEGO on Liberty click here or see the Liberty tab above.


Before you collect data, be sure to answer the Diagnostic Questions in the section above.


You may choose to follow this step-by-step document or you can watch the video in the Collecting data manually for Problems with SPNEGO on WebSphere Application Server (Video) section.

SPNEGO issues on WebSphere Application Server may be difficult to troubleshoot. Please make sure to collect all the information below. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.


SETTING UP WEBSPHERE APPLICATION SERVER FOR SPNEGO TRACING



NOTE: If possible, when capturing the traces, attempt a recreate using the default application /snoop servlet instead of any custom application. This will help rule out any application issues and confirm if SPNEGO configuration is truly working or not.

Setup the JVM for SPNEGO tracing
  1. In the Administrative Console, navigate to Servers > Application Servers > server_name. Under Server Infrastructure, expand Java and process management. Select Process Definition > Java Virtual Machine > Custom Properties. Create two new Java ™ Virtual Machine (JVM) properties::
    Name: com.ibm.security.jgss.debug
    Value: all

    Name: com.ibm.security.krb5.Krb5Debug
    Value: all

Setup the WebSphere Application Server for SPNEGO tracing
  1. Expand TroubleShooting > Logs and Trace > server_name.
  2. Select Diagnostic Trace Service. Increase the Maximum Number of Historical Files from 1 to 10.
  3. Click Apply, then select Change Log Detail Levels.
  4. Clear the trace string in the box and replace it with the following trace string: :

    *=info:SecurityDomain=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
  5. Click Apply, and Save.


COLLECTING WEBSPHERE APPLICATION SERVER SPNEGO TRACES



Stop the server and clean the logs, recreate the issue, so we have a fresh and concise set of information
  1. Stop the server and delete or rename all the logs in the profile_home/logs directory. Then restart the server.
  2. Reproduce the problem, making note of the following information:
    Time when the problem occurs
    The client user ID which logged into the Microsoft Domain
    The Microsoft Domain name itself
    The exact URL being invoked.


GATHERING WEBSPHERE APPLICATION SERVER SPNEGO DATA TO SEND TO IBM SUPPORT


  1. Run the Collector Tool which is located in the profile_home/bin directory on both Network Deployment (for federated environment only) and base Application Server profiles.

Collecting data manually for Problems with SPNEGO on WebSphere Application Server (Video)


This section is for collecting data for Problems with SPNEGO on WebSphere Application Server. If you want to collect data for Problems with SPNEGO on Liberty click here or see the Liberty tab above.


Before you collect data, be sure to answer the Diagnostic Questions in the section above.

You may choose to watch this video or follow the step-by-step instructions in the in the Collecting data manually for Problems with SPNEGO on WebSphere Application Server ( Step-by-Step ) section.

SPNEGO issues on WebSphere Application Server may be difficult to troubleshoot. Please make sure to collect all the information described in the video. When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.



VIDEO


The following video goes over the necessary steps to collect data for a SPNEGO problem on WebSphere Application Server.

Related information

MustGather: Read first for WebSphere Application Server
Steps to get support for WebSphere Application Server
Recording your screen to share with IBM Support
Submitting information to IBM support

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server - Express Security AIX, HP-UX, Linux, Solaris, Windows 6.1
Application Servers Runtimes for Java Technology Java SDK

Document information

More support for: WebSphere Application Server
Security

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Base, Express, Network Deployment

Reference #: 1255030

Modified date: 30 November 2007


Translate this page: