Troubleshooting Kerberos authentication to LDAP servers

If you experience problems with Kerberos authentication to an LDAP server, refer to error messages from your Open Liberty server or HTTP error messages to debug the problem. The following information can help determine the causes of common problems and error messages that are associated with Kerberos authentication to LDAP servers.

Users cannot log in, even if non-Kerberos enabled registries are available.

If multiple user registries are configured for an Open Liberty server, all basic, custom, and LDAP user registries are combined into a single federated user registry. By default, the server must successfully search for the user in all participating user registries to verify that the user is unique within the federated user registry. If a Kerberos-enabled LDAP server in a federated registry uses a Kerberos ticket cache to hold user credentials and the credentials expire, a search of the LDAP registry fails. To resolve the problem, renew the Kerberos ticket cache. For example, you can renew the Kerberos ticket cache by using the Java kinit tool.

To avoid failures if a user registry is unavailable, configure the allowOpIfRepoDown attribute in your server.xml file. Set the allowOpIfRepoDown attribute to true on the primaryRealm subelement of the federatedRepository element, as shown in the following example:

<federatedRepository>
        <primaryRealm name="FederatedRealm" allowOpIfRepoDown="true">
            <participatingBaseEntry name="o=SampleBasicRealm"/>
            <participatingBaseEntry name="o=ibm,c=us"/>
        </primaryRealm>
</federatedRepository>

For more information, see the Federated User Registry feature.

Performance is slow when Kerberos is configured for a federated user registry.

Enabling the allowOpIfRepoDown attribute on the federatedRepository element can help avoid failures if one or more user registries in a federated user registry are unavailable. However, this configuration might result in slower overall performance if Kerberos credentials are specified in a ccache file with the krb5TicketCache attribute. When Kerberos credentials are in a ccache file, Open Liberty attempts to auto-renew expiring credentials, which can result in slower performance.

To avoid this problem, you can specify Kerberos credentials in a keytab file with the kerberos element. Credentials in a keytab file do not expire so auto-renewal is not necessary. For more information, see Kerberos authentication for Open Liberty.

The Kerberos principal name is not in the Kerberos ticket cache file.

If the Kerberos principal name is not found in the Kerberos ticket cache file, Open Liberty logs the CWIML message type. A missing Kerberos principal name can occur for the following reasons:

  • No credential was generated for the Kerberos principal name, which results in an incorrect Kerberos configuration.

  • The Kerberos ticket cache contains an expired credential.

In either case, renew the Kerberos ticket cache to resolve the problem. For example, you can renew the Kerberos ticket cache by using the Java kinit tool.

Depending on the type of Java SDK, the message that you can receive is similar to one of the following examples:

CWIML4507E: Kerberos login failed with the [email protected] Kerberos principal and the C:\krb5\krb5-user1.cc Kerberos credential cache (ccache). javax.security.auth.login.LoginException: Unable to obtain password from user

CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Ticket expired (32))]] occurred during processing.

CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.NamingException: CWIML4507E: Kerberos login failed with the [email protected] Kerberos principal and the C:\krb5\krb5-user1.cc Kerberos credential cache (ccache). javax.security.auth.login.LoginException: Unable to obtain password from user

To review the expiration time of the Kerberos principal user, run the Java klist tool.