If your Kerberos verification test fails, there are some
basic things you can check before accessing the troubleshooting system.
Follow the steps in this topic before working through the
Kerberos Troubleshooting section. Troubleshooting problems with Kerberos
can be complex, given the number of computers and amount of software
that can be involved.
Do the following steps to check your Kerberos for the
most common errors.
- Make sure that Content Platform Engine works
without Kerberos. Start Administration Console for Content Platform Engine and
log on as the gcd_admin. If you cannot log on,
then troubleshoot that before attempting to handle problems with Kerberos.
- You can find a file in installation\IBM\FileNet\ContentEngine\AuthnTest.zip that
contains AuthnTest.exe. You can run this on a
Windows system that has been set up with WSE. This program is a quick,
lightweight way to test the Kerberos setup.
- If this login fails or there still does appear to be a
Kerberos problem, then the problems can be broken down into whether
the error seems to be generated on the client or on the Content Platform Engine. In most cases, the
important part of the error will be near or at the end of the error
message. For instance, if the error message returned by the client
was WSE594: InitializeSecurityContext call failed with the following
error message: The network path was not found, the important
part of this message is The network path was not found.
- Turn on Kerberos debugging. On
WebSphere this is done by adding a debug=true option
to the KrbServiceLoginModule and turning on two JVM switches to get
detailed JVM debugging info:
-Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all
On WebLogic this is done by setting the debug option
true on the authentication provider's setup. Also turn on Sun Java's
Kerberos debugging by adding this JVM switch to WebLogic's startup:-Dsun.security.krb5.debug=true