IBM Support

FileNet Enterprise Manager login fails with, Failed Kerberos service ticket login: could not establish context

Troubleshooting


Problem

When setting up Kerberos for the Content Engine, logging into FileNet Content Engine Enterprise Manager fails.

Cause

The Active Directory (AD) user account that is the "identity" behind the Kerberos Service Principal Name (SPN) had a password that contained a special character (e.g., @).

Diagnosing The Problem

Error that appears in the application server log.

[5/20/11 12:20:14:905 EDT] 00000047 SystemOut O [JGSS_DBG_CTX] AuthenticatorCache, scope of bucket122
[5/20/11 12:20:14:905 EDT] 00000047 SystemOut O [JGSS_DBG_CTX] ticket enc type = des-cbc-md5
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] acceptSecContext succeeded and returned a null AP_RES
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] acceptSecContext call failed to establish security context!
[5/20/11 12:20:14:952 EDT] 00000047 SystemOut O [KrbServiceLoginModule] login failure: Failed Kerberos service ticket login: could not establish context
[5/20/11 12:20:15:077 EDT] 00000047 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_6a4d6a4d_11.05.20_12.20.15.0615005901075203008704.txt com.ibm.websphere.security.PasswordCheckFailedException 190
...
...
[5/20/11 12:20:15:108 EDT] 00000047 SystemOut O [KrbServiceLoginModule] aborting
[5/20/11 12:20:15:124 EDT] 00000047 SystemOut O [WSIAuthenticatorImpl] Web services Kerberos login failed: Failed Kerberos service ticket login: could not establish context.: Failed Kerberos service ticket login: could not establish context


The corresponding ffdc log shows the following error:

[5/20/11 12:20:15:061 EDT] FFDC Exception:com.ibm.websphere.wim.exception.PasswordCheckFailedException SourceId:com.ibm.websphere.security.PasswordCheckFailedException ProbeId:190 Reporter:com.ibm.websphere.security.PasswordCheckFailedException@4e9a4e9a
com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'KerberosUser' principal name.

Resolving The Problem

The Content Engine needs to have the password for the "identity" user account. This is performed by setting up the keytab (key table).

  1. Modify the password for the AD domain user account so that it does not contain any special characters.

  2. To create the keytab, enter command line to run the "ktab" utility on the Content Engine server system.
    • On Windows-based WebLogic or JBoss application servers, enter:
    • On Windows-based WebSphere application servers, enter (on a single line):
    • On UNIX-based application servers, replace %JAVA_HOME%\bin\ with ${JAVA_HOME}/bin/ in the lines above.
  3. Restart the application server.

[{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF033","label":"Windows"}],"Version":"5.1;4.5.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21500862

Page Feedback