Versions Compared

Old Version 15

changes.mady.by.user user-78f34

Saved on

compared with

New Version 16

changes.mady.by.user user-78f34

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As the last step, please restart the custo diagnostic server now.


If everything works and the logged in windows user is allowed to use custo diagnostic then this command should return "true".


Debugging & Testing


For testing Kerberos authentication without using the custo manager, you can use the curl utility that is installed in the same folder as the custo diagnostic client:

curl -u : --negotiate http://localhost:8080/diag/rest/v1/user/kerberos/test

...

or

curl -u : -vvvv --negotiate http://localhost:8080/diag/rest/v1/user/kerberos/test


You can add the following switches to the Java command line (via Configure custo diagnostic server in Startmenu):

-Dsun.security.krb5.debug=true
-Dsun.security.spnego.debug=true

After restarting Tomcat, you will find logging information in stdout and stderr files in the <custo diagnostic server installation directory>/logs directory 

and   <custo diagnostic data directory>/logs


Typical Error Messages and possible cause:

  • Cannot Obtain Password: Apache Tomcat looks for the password somewhere.
    Meaning, that it either cannot find the tomcat.keytab file (file location?) or the service principal name used in jaas.conf, tomcat.keytab file.
  • Cannot Sign In (Without Cannot Obtain Password): Tomcat gets the credentials from tomcat.keytab file, but it cannot sign in to the domain/domaincontroller. May be the Service Principal Name  used in the configuration files differ from the one used with ktpass?
  • Cannot locate Domain Controller.  The krb5.ini leads from the domain name to the domain controller.