Kerberos bind authentication troubleshooting tips
You might encounter issues when you use the Kerberos bind authentication with Generic Security Services API (GSSAPI) to connect the application server to an LDAP directory service. Tips and possible solutions are provided for issues such as a missing Kerberos principal name in a ticket cache file.
A user cannot log in to the administrative console or perform administrative tasks
If a stand-alone LDAP server that is enabled for Kerberos uses a Kerberos ticket cache to hold the credential and the credential expires, a failure results. The user cannot log in. To resolve the problem, refresh the credential.
For federated repositories, if the Allow operations if some of the repositories are down option is not enabled, the application server must be able to successfully search for the user in all participating registries. The application server does this search to verify that the user is unique to a repository. If a Kerberos enabled LDAP server in a federated repository uses a Kerberos ticket cache to hold the credential and the credential expired, a failure results when the application server searches on the LDAP registry. This failure prevents any administrative console user from logging in. To resolve the problem, refresh the credential. Enable the Allow operations if some of the repositories are down option.
To review the expiration time of the Kerberos principal user, use the Java klist
tool.
The Kerberos principal name is not found in the Kerberos keytab file
javax.security.auth.login.FailedLoginException: Null key
Verify that the Kerberos principal name is correct and that the correct Kerberos keytab file is used.
The Kerberos principal name is not in the Kerberos ticket cache file
- A credential that was not generated for the Kerberos principal name, causing an incorrect Kerberos configuration.
- An expired credential in the Kerberos ticket cache.
javax.security.auth.login.LoginException: CWWIM5120E: Kerberos login failed using Kerberos principal ABC/example.com and Kerberos credential cache (ccache) file:/C:/Users/ibmadmin/krb5cc_ibmadmin.
To review the expiration time of the Kerberos principal user, run the Java klist
tool.
GSS exceptions occur when a new or updated LDAP server configuration is saved
com.ibm.websphere.wim.exception.WIMConfigurationException: CWWIM5020E Could not connect to the ldap://example2.com repository using properties: ... Exception occurred: javax.security.sasl.SaslException: GSS initiate failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Error: java.lang.Exception: Error: com.ibm.security.krb5.KrbException, status code: 7 message: :ldap/example2.com@VMM.COM].
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Failure to initialize security context [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Error creating name: com.ibm.security.krb5.KrbException, status code: 0 message: None]]
- A realm name, such as
@domain.com
, is missing from a Kerberos principal name, such as(user1@VMM.COM)
. - A default realm name is not found in the Kerberos configuration file.
CWWIM5128E: The Kerberos principal name user1 is incorrectly formatted or the realm name is missing or a default realm name cannot be found.