Troubleshooting cheat sheet - Howto troubleshoot Kerberos issues with Access Manager 3.1

  • 7006042
  • 19-May-2010
  • 26-Apr-2012


Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server


AM 3.1 Kerberos cheat sheet

Functionality:    Kerberos* is an authentication method that allows users authenticated to Microsoft Active Directory domain. Users can retrieve Kerberos tickets from the Active Directory KDC (Key distribution center) which can be used for SSO to an NIDP server if a Kerberos (Class/Method/Contract) has been configured correctly.

Kerberos log  settings required to capture all relevant traffic:

1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.

- echo to console enabled
- Application, Liberty, to DEBUG

Kerberos touch files:


Info to request:

0. Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/opt/novell/tomcat5/logs/catalina.out

1. Admin Console Server (AC)

- output of “” script (from /opt/novell/devman/bin directory). This will allow us to view the class, method and contract configuration.

2. Novell Identity Provider (NIDP)

Will allow us to view the initialization of the Kerberos class:
- on Linux: “/var/opt/novell/tomcat5/logs/catalina.out”
- on Windows: “/Program Files/Novell/Tomcat/logs/stdout.log”

Configuration Files:
- on SLES 9:   /usr/lib/java/jre/lib/security/bcslogin.conf
- on SLES 10: /opt/novell/java/jre/lib/security/bcslogin.conf
- on Windows: C:\Program Files\Novell\jre\lib\security\bcslogin.conf

3. Microsoft Windows Domain

- Verify that the user has the required servicePrincipalName attribute with a valid value.
 Enter the following command:
 setspn -L <userName>    > setspn.txt

4 Microsoft Windows Client
-. is the client machine (XP or Vista, Windows 7 ) a member of the AD domain?
-. is the client machine logged in with a user in the AD domain?
-. are you getting a ticket for the domain you have configured? (use kerbtray.exe to verify)
- Check if the Web browser is configured to trust the Identity Server
For Internet Explorer version 7, click Tools > Internet Options > Security > Local intranet > Sites > Advanced.
For Internet Explorer version 6, click Tools > Internet Options > Security > Trusted sites > Sites.
In the Add this website to the zone text box, enter the Base URL for the Identity Server, then click Add.

What to look for in log files:

- Look at the catallina.out output of the Identity Server and locate the following line:
Commit Succeeded phrase.

For example, the lines look similar to the following:
principal's key obtained from the keytab
principal is HTTP/
Added server's keyKerberos Principal HTTP/ Version 3key EncryptionKey:
keyType=3 keyBytes (hex dump)=0000: CB 0E 91 FB 7A 4C 64 FE
[Krb5LoginModule] added Krb5Principal HTTP/ to Subject
Commit Succeeded

When you see this it indicates that the initialization of the kerberos class was successfull and things are looking good at the Access Manager side of things.

Check if the bcslogin.conf has the correct entries. (use documentation for reference)

Useful TIDs:

1. Clustered IDP needs manual copy of Kerberos configuration files -
2.  Kerberos authentication card falling back to form based authentication when no kerb token is submitted -
3. Upgrading Novell Access Manager from 3.0.4 to 3.1 will break the Kerberos authentication service -
4. Cannot authenticate to Identity Server using kerberos with IE8 or updates Windows patches -