Troubleshooting Error Logs

This topic describes Windows Auto-login success/failure scenarios.

User logs in successfully

Verify the uaa.log if the TGT/Kerberos token is generated properly. It should start with YII. You can ignore the lengthy token value in the log entries.

[2022-02-22 19:29:41.949] cloudfoundry-identity-server - 14188 [http-nio-9480-exec-8] .... DEBUG --- SpnegoAuthenticationProcessingFilter: Received Negotiate Header for request https://win16-sachin.uaatestad.ge.com/uaa/: Negotiate YIIHVQYGKwY********

A local Windows (non-domain) user attempts Windows Auto-login (using query parameter in the URL) from a domain member machine

Browser displays an error. The error message also appears in uaa.log. The following error appears when attempting to login with domain name in the URL.

The following error appears when attempting to login with non-domain name in the URL.

Bad or missing keytab file (or) Bad SPN in uaa.yml file

The following errors appear in uaa.log.

[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] ....  WARN --- SpnegoAuthenticationProcessingFilter: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw==
org.springframework.security.authentication.BadCredentialsException: Bad Credentials excpetion. It could be due to keytab file and the SPN configuration.

Crypto Mismatch

A crypto mismatch occurs if the encryption algorithm specified while using ktpass.exe to generate keytab does not match what is supported by the service account.

[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC

Clock skew between client and server

The following errors appear in uaa.log.

[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Clock skew too great (37)
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Clock skew too great (37)
Note: Make sure the clocks on all the three systems are synchronized.

Useful SPN commands

To view existing SPNs setspn -F -Q HTTP/<FQDN>

Example: setspn -F -Q HTTP/[email protected]
To delete SPN setspn -D HTTP/<FQDN> <user account>

Example: setspn -D HTTP/[email protected] ghost1