MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Troubleshooting Kerberos external authentication issues
16 February 2021 03:45 PM


This article is intended to help investigate certain Kerberos External Authentication issues, since most of the Kerberos Security authentication requires much more IT involvement, below are few areas we recommend to investigate before involving IT for Kerberos trouble.

Keytab file location and permission

MarkLogic Server requires a keytab file with the specific name "services.keytab" at the specified location within the MarkLogic Data directory.

Note: The Permissions on the keytab must not be World or Group readable.

[Location] $ pwd
[Permission & Owner] $ ls -alt services.keytab
-rw------- 1 daemon daemon 86 May  4 09:51 services.keytab

Sample krb5.conf Configuration file 

Kerberos configuration file are essential to Kerberos handshake, and below is a sample Kerberos file for a reference.

$ cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = MLTEST1.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
   kdc =
   admin_server =
[domain_realm] = MLTEST1.LOCAL = MLTEST1.LOCAL


Configuring Client Browser to utilize Kerberos authentication 

Most Web Browser by default are not enabled to utilize Kerberos authentication with WebServer. Making sure browser is properly configured to utilize Kerberson handshake will eliminate one more suspect during troubleshooting. Below is one good Microsoft blog detailing on Browser configuration in respect to Kerberos

Browser Login Dialog Username

When Web Broswer attempts to connect Kerberos enabled WebServer, Browser will throw user prompt dialog box to user. Kerberos handshake expects that user provide complete domain/realm along with username during login process.

Example - UserName : "test1@MLTEST1.LOCAL"

Case Sensitivity of Kerberos

Kerberos username as well as domain/realm are case sensitive and they should match to domain/real configured in file krb5.conf. Not having correct correct case on complete username (including realm) can lead to error with limited debugging information.

MarkLogic Trace Events

We can enable Kerberos Trace event as below and then run a kerberos login test again for ErrorLog to capture Trace Events, which could provide more information on Kerberos handshake between MarkLogic and Kerberos Server.

Add the "Kerberos GSS Negotiate" trace event in the Admin UI by navigating to -> Configure -> Groups -> {group-name} -> Diagnostics -> trace events activated = true; then Add "Kerberos GSS Negotiate"; press the “ok” button.  

List of other potential issue and troubleshoot techniques (Well compiled 3rd party source) 



 image003.png (16.70 KB)
(0 vote(s))
Not helpful

Comments (0)