Troubleshooting and debugging
Kerberos SSO is not triggered even if the ticket is available on the machine.
Verify the encryption type of the kerberos ticket and inspect if the configured keytab has support for the specified encryption type. The encryption type is not negotiated when the Kerberos ticket is obtained and may be related with the default configuration. Make sure that proper encryption types are configured globally or per account.
Kerberos ticket is not created on the machine
Verify that SPNEGO was enabled correctly for the application you are trying to access. When the SPNEGO configuration is in place an error page for SPNEGO not available should be spotted briefly during authentication flow.
Verify the DNS resolved name of the IDP and the Keytab SPN. The SPN should be for the same resolved name, otherwise KDC would not provide a ticket for during DNS validation.
How to enable tracing logs on Veridium Server
Setting kerberos and spnego on debug via JAVA options from tomcat configuration. Append the following lines to
/opt/veridiumid/tomcat/bin/setenv.sh
CODE$body
- CODE
JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -Dsun.security.jgss.debug=true"
Increase log levels for Shibboleth SPNEGO by adding the following lines in
/opt/veridiumid/shibboleth-idp/conf/logback.xml
CODE$body
<logger name="com.veridium.integrations.shibboleth.spnego" level="TRACE"/>
- CODE
<logger name="net.shibboleth.idp.authn.spnego" level="TRACE"/>
implicitUPN - for federated domains
edit config.json file
default setup | implicitUPN |
---|---|
dev.local | "useImplicitUpnInIdentityToken": { |
customer example | "useImplicitUpnInidentityToken”: { "condition": { "rule": "EMAIL_EQUALS_UPN", "applyForDonains": [“vt.ch", "VT.CH"], "enabled": true }, "enabled": true |
Default Deployment | "useImplicitUpnInIdentityToken": { |
Remove IdP error page after activating SPNEGO flow
When requests are performed to SP applications that don’t meet SPNEGO flow an error page appears for ~100ms
To remove this message with a blank page perform below steps
cp /opt/veridiumid/shibboleth-idp/views/spnego-unavailable.vm /opt/veridiumid/shibboleth-idp/views/BKPspnego-unavailable.vm
vi /opt/veridiumid/shibboleth-idp/views/spnego-unavailable.vm
delete all content
add
$body
<!DOCTYPE html> <html> <head> <title>Error</title> </head> <body onload="window.location = '$errorUrl'"> </body>
</html>
Refresh in browser your SP page