Troubleshooting Kerberos external authentication issues
16 February 2021 03:45 PM
|
||||
SummaryThis article is intended to help investigate certain Kerberos External Authentication issues, since most of the Kerberos Security authentication requires much more IT involvement, below are few areas we recommend to investigate before involving IT for Kerberos trouble. Keytab file location and permissionMarkLogic Server requires a keytab file with the specific name "services.keytab" at the specified location within the MarkLogic Data directory. Note: The Permissions on the keytab must not be World or Group readable. [Location] $ pwd
/var/opt/MarkLogic
[Permission & Owner] $ ls -alt services.keytab
-rw------- 1 daemon daemon 86 May 4 09:51 services.keytab
Sample krb5.conf Configuration fileKerberos configuration file are essential to Kerberos handshake, and below is a sample Kerberos file for a reference. $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MLTEST1.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MLTEST1.LOCAL = {
kdc = srv-202-1-vm1.colo.marklogic.com
admin_server = srv-202-1-vm1.colo.marklogic.com
}
[domain_realm]
.marklogic.com = MLTEST1.LOCAL
marklogic.com = MLTEST1.LOCAL
Configuring Client Browser to utilize Kerberos authenticationMost Web Browser by default are not enabled to utilize Kerberos authentication with WebServer. Making sure browser is properly configured to utilize Kerberson handshake will eliminate one more suspect during troubleshooting. Below is one good Microsoft blog detailing on Browser configuration in respect to Kerberos https://docs.microsoft.com/en-us/troubleshoot/iis/troubleshoot-kerberos-failures-ie Browser Login Dialog UsernameWhen Web Broswer attempts to connect Kerberos enabled WebServer, Browser will throw user prompt dialog box to user. Kerberos handshake expects that user provide complete domain/realm along with username during login process. Example - UserName : Case Sensitivity of KerberosKerberos username as well as domain/realm are case sensitive and they should match to domain/real configured in file MarkLogic Trace EventsWe can enable Kerberos Trace event as below and then run a kerberos login test again for ErrorLog to capture Trace Events, which could provide more information on Kerberos handshake between MarkLogic and Kerberos Server.
List of other potential issue and troubleshoot techniques (Well compiled 3rd party source)https://technet.microsoft.com/en-us/library/bb463167.aspx
| ||||
|