Skip to main content
Skip table of contents

Troubleshooting and debugging

  • Kerberos SSO is not triggered even if the ticket is available on the machine.

    • Verify the encryption type of the kerberos ticket and inspect if the configured keytab has support for the specified encryption type. The encryption type is not negotiated when the Kerberos ticket is obtained and may be related with the default configuration. Make sure that proper encryption types are configured globally or per account.

  • Kerberos ticket is not created on the machine

    • Verify that SPNEGO was enabled correctly for the application you are trying to access. When the SPNEGO configuration is in place an error page for SPNEGO not available should be spotted briefly during authentication flow.

    • Verify the DNS resolved name of the IDP and the Keytab SPN. The SPN should be for the same resolved name, otherwise KDC would not provide a ticket for during DNS validation.

  • How to enable tracing logs on Veridium Server

    • Setting kerberos and spnego on debug via JAVA options from tomcat configuration. Append the following lines to /opt/veridiumid/tomcat/bin/setenv.sh

      CODE
      $body
  • CODE
    JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -Dsun.security.jgss.debug=true"
  • Increase log levels for Shibboleth SPNEGO by adding the following lines in /opt/veridiumid/shibboleth-idp/conf/logback.xml

    CODE
    $body

<logger name="com.veridium.integrations.shibboleth.spnego" level="TRACE"/>

  • CODE
    <logger name="net.shibboleth.idp.authn.spnego" level="TRACE"/>

implicitUPN - for federated domains

edit config.json file

default setup

implicitUPN

dev.local

"useImplicitUpnInIdentityToken": {
"condition": {
"rule": "EMAIL_EQUALS_UPN",
"applyForDomains": [
"dev.local"
],
"enabled": true
},
"enabled": true

customer example

"useImplicitUpnInidentityToken”: {

"condition": {

"rule": "EMAIL_EQUALS_UPN",

"applyForDonains": [“vt.ch", "VT.CH"],

"enabled": true

},

"enabled": true

Default Deployment

"useImplicitUpnInIdentityToken": {
"condition": {
"rule": "EMAIL_EQUALS_UPN",
"applyForDomains": [],
"enabled": false
},
"enabled": false

Remove IdP error page after activating SPNEGO flow

When requests are performed to SP applications that don’t meet SPNEGO flow an error page appears for ~100ms

 

To remove this message with a blank page perform below steps

  1.  cp  /opt/veridiumid/shibboleth-idp/views/spnego-unavailable.vm /opt/veridiumid/shibboleth-idp/views/BKPspnego-unavailable.vm

  2. vi /opt/veridiumid/shibboleth-idp/views/spnego-unavailable.vm

    1. delete all content

    2. add

CODE
$body

<!DOCTYPE html> <html> <head>     <title>Error</title> </head> <body onload="window.location = '$errorUrl'"> </body>

CODE
</html>
  1. Refresh in browser your SP page

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.