In my last three posts I covered the creation of the Domain Account, SPN and Keyfile, the required configuration on the web and application server and the PeopleCode and security changes. However, as a final bonus I thought I would cover some troubleshooting tips that I found helpful during my implementation.
If the authentication is not working, open the PIA_weblogic.log and look for a message like KerberosSSOFilter: Received invalid token. This indicate that the token received from the client browser is incorrect or invalid. To further troubleshoot this issue, download and install Wireshark. Using Wireshark, capture the Kerberos traffic when trying to access the website with Kerberos authentication configured. The filter should be set to kerberos.
In this case we get an error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Expand the captured package, and review the KerberosString. It should match the A-record of the target server.
If a KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN is received and the KerberosString is correct, verify if there are duplicate SPNs by running setspn -X:
Delete any duplicate SPN:
setspn -D HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com <service account>
After deleting the duplicate entry, Wireshark should show something like this:
Failed to Switch User
If PeopleSoft logs in as the PS_GUEST user instead of the actual client user, check the APPSERVER log, which probably shows something like this:
PSAPPSRV.20528 (54) [2016-09-23T15:15:09.934 GetCertificate](3) Returning context. ID=PS_GUEST, Lang=ENG, UStreamId=1511111111_20528.54, Token=HCM/2016-09-23-09.15.09.000000/PS_GUEST/ENG/
You also do not see the following
SetAuthenticationResult(TRUE) called to change user ID from PS_GUEST to JOHNDOE
This indicate that the Application server did not switch user from PS_GUEST to the actual user. This is usually caused by incorrect configuration of the krbLogin.conf or krb5.keytab file. If the webserver and app server are on different machines, the krbLogin.conf and krb5.keytab must be the same on the app server as on the web server. This Kerberos ticket is issued by the web server and needs to be validated by the app server using the same configuration and keytab file.
Of course, there are many other possible issues. Please comment below or contact me at firstname.lastname@example.org