Knowledgebase:
Troubleshooting Kerberos external authentication issues
16 February 2021 03:45 PM

Summary 

This article is intended to help investigate certain Kerberos External Authentication issues, since most of the Kerberos Security authentication requires much more IT involvement, below are few areas we recommend to investigate before involving IT for Kerberos trouble.

Keytab file location and permission

MarkLogic Server requires a keytab file with the specific name "services.keytab" at the specified location within the MarkLogic Data directory.

Note: The Permissions on the keytab must not be World or Group readable.

[Location] $ pwd
/var/opt/MarkLogic
[Permission & Owner] $ ls -alt services.keytab
-rw------- 1 daemon daemon 86 May  4 09:51 services.keytab

Sample krb5.conf Configuration file 

Kerberos configuration file are essential to Kerberos handshake, and below is a sample Kerberos file for a reference.

$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = MLTEST1.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
 
[realms]
MLTEST1.LOCAL = {
   kdc = srv-202-1-vm1.colo.marklogic.com
   admin_server = srv-202-1-vm1.colo.marklogic.com
}
[domain_realm]
.marklogic.com = MLTEST1.LOCAL
marklogic.com = MLTEST1.LOCAL

 

Configuring Client Browser to utilize Kerberos authentication 

Most Web Browser by default are not enabled to utilize Kerberos authentication with WebServer. Making sure browser is properly configured to utilize Kerberson handshake will eliminate one more suspect during troubleshooting. Below is one good Microsoft blog detailing on Browser configuration in respect to Kerberos

https://docs.microsoft.com/en-us/troubleshoot/iis/troubleshoot-kerberos-failures-ie

Browser Login Dialog Username

When Web Broswer attempts to connect Kerberos enabled WebServer, Browser will throw user prompt dialog box to user. Kerberos handshake expects that user provide complete domain/realm along with username during login process.

Example - UserName : "test1@MLTEST1.LOCAL"

Case Sensitivity of Kerberos

Kerberos username as well as domain/realm are case sensitive and they should match to domain/real configured in file krb5.conf. Not having correct correct case on complete username (including realm) can lead to error with limited debugging information.

MarkLogic Trace Events

We can enable Kerberos Trace event as below and then run a kerberos login test again for ErrorLog to capture Trace Events, which could provide more information on Kerberos handshake between MarkLogic and Kerberos Server.


Add the "Kerberos GSS Negotiate" trace event in the Admin UI by navigating to -> Configure -> Groups -> {group-name} -> Diagnostics -> trace events activated = true; then Add "Kerberos GSS Negotiate"; press the “ok” button.  

List of other potential issue and troubleshoot techniques (Well compiled 3rd party source)

https://technet.microsoft.com/en-us/library/bb463167.aspx 

 

 



Attachments 
 
 image003.png (16.70 KB)
(0 vote(s))
Helpful
Not helpful
Comments (0)