Troubleshooting
Problem
When setting up Kerberos for the Content Engine, logging into FileNet Content Engine Enterprise Manager fails.
Cause
The Active Directory (AD) user account that is the "identity" behind the Kerberos Service Principal Name (SPN) had a password that contained a special character (e.g., @).
Diagnosing The Problem
Error that appears in the application server log.
[5/20/11 12:20:14:905 EDT] 00000047 SystemOut O [JGSS_DBG_CTX] AuthenticatorCache, scope of bucket122
[5/20/11 12:20:14:905 EDT] 00000047 SystemOut O [JGSS_DBG_CTX] ticket enc type = des-cbc-md5
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] acceptSecContext succeeded and returned a null AP_RES
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] acceptSecContext call failed to establish security context!
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] login failure: Failed Kerberos service ticket login: could not establish context
[5/20/11 12:20:15:077 EDT] 00000047 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_6a4d6a4d_11.05.20_12.20.15.0615005901075203008704.txt com.ibm.websphere.security.PasswordCheckFailedException 190
...
...
[5/20/11 12:20:15:108 EDT] 00000047 SystemOut O [KrbServiceLoginModule] aborting
[5/20/11 12:20:15:124 EDT] 00000047 SystemOut O [WSIAuthenticatorImpl] Web services Kerberos login failed: Failed Kerberos service ticket login: could not establish context.: Failed Kerberos service ticket login: could not establish context
The corresponding ffdc log shows the following error:
[5/20/11 12:20:15:061 EDT] FFDC Exception:com.ibm.websphere.wim.exception.PasswordCheckFailedException SourceId:com.ibm.websphere.security.PasswordCheckFailedException ProbeId:190 Reporter:com.ibm.websphere.security.PasswordCheckFailedException@4e9a4e9a
com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'KerberosUser' principal name.
Resolving The Problem
The Content Engine needs to have the password for the "identity" user account. This is performed by setting up the keytab (key table).
- Modify the password for the AD domain user account so that it does not contain any special characters.
- To create the keytab, enter command line to run the "ktab" utility on the Content Engine server system.
- On Windows-based WebLogic or JBoss application servers, enter:
- %JAVA_HOME%\bin\ktab –a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
- On Windows-based WebSphere application servers, enter (on a single line):
- %JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab –a FNCEWS_ cemp01@MYDOM.EXAMPLE.COM
- On UNIX-based application servers, replace %JAVA_HOME%\bin\ with ${JAVA_HOME}/bin/ in the lines above.
- Restart the application server.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21500862