MustGather: Problems with Spnego

Technote (troubleshooting)


Collecting data for problems with the IBM WebSphere Application Server SPNEGO component. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.

Resolving the problem

If you have already contacted support, continue on to the component-specific MustGather information. Otherwise, click: MustGather: Read first for all WebSphere Application Server products.

Spnego specific MustGather information

1) WebSphere Application Server version :
Active Directory version :
Client OS version :

2) What is the desired AD_username used to map to SPN's ?
Provide a screenshot of the Active Directory User properties Account Tab for this user.

3) Please list all SPN's used to map to the above AD_username : (HTTP/ ?

4) Please provide commands issued to create the keytab and SPN mappings on the AD server. If possible, also provide the command output.

5) What is the full web request URL accessed by the client browser ?

6) Is the requested hostname an alias(CNAME Record) or real_hostname(A Record) in DNS ?

7) Provide screen shot's of SPN filter entries in WebSphere adminconsole.

8) Are additional SPNEGO filter criteria being used ? If yes, what are they ?

9) Find all SPN mapping occurrences mapped to AD usernames:
On the Active Directory Server, run following command:
C:\ldifde -f output.txt -r "(servicePrincipalName=HTTP/"
( is the same fqdn hostname used in the web request by the client)

10) Are there loadbalancers, firewalls, proxies, or webservers in the mix, or any devices/appliances
between the client browser and WebSphere ? If you can please provide the login flow with relovent
topology involved.

11) Is this a single domain or do you have trusted domains/forests ? Please elaborate if the latter.

12) Screenshots of client browser SPNEGO settings.

13) Also provide your krb5 config and keytab files.

14) Is SPNEGO configured within a security domain ? If so, please
provide the ../<profile_root>/config/waspolicies directory.

15) Capture a trace and run collector tool for SPNEGO issues :

    1. In the Administrative Console, navigate to Servers > Application Servers > server_name. Under Server Infrastructure, expand Java and process management. Select Process Definition > Java Virtual Machine > Custom Properties. Create two new Java ™ Virtual Machine (JVM) properties:

      Value: all

      Value: all

    2. Expand TroubleShooting > Logs and Trace > server_name.
    3. Select Diagnostic Trace Service. Increase the Maximum Number of Historical Files from 1 to 10.
    4. Click Apply, then select Change Log Detail Levels.
    5. Clear the trace string in the box and replace it with the following trace string:*=all
    6. Click Apply, and Save.

      Stop the server and delete or rename all the logs in the profile_home/logs directory. Then restart the server. This ensures that the logs are recent.
    7. Recreate the problem. Make note of the time the problem occurs, the user ID, and the exact URL being invoked.
    8. Run the Collector Tool which is located in the profile_home/bin directory on both Network Deployment (for federated environment only) and base Application Server profiles.

For a listing of all technotes, downloads, and educational materials specific to the Security component, search the WebSphere Application Server support site.

Related information

Steps to getting support
Mustgather:Read First
Troubleshooting Guide
Exchanging Information with IBM

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server - Express Security AIX, HP-UX, Linux, Solaris, Windows 6.1
Application Servers Runtimes for Java Technology Java SDK

Rate this page:

(0 users)Average rating

Add comments

Document information

More support for:

WebSphere Application Server

Software version:

6.1, 7.0, 8.0, 8.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Base, Express, Network Deployment

Reference #:


Modified date:


Translate my page

Machine Translation

Content navigation