Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
Troubleshooting Guide for the Kerberos Authentication error, "Caused by: KrbException: Client not found in Kerberos database (6)".
Solution:
Description:
Login issue with Kerberos Authentication. This could be during the initial Kerberos Authentication setup or in an existing working environment with Kerberos Authentication. The server log file shows the error message, "Caused by: KrbException: Client not found in Kerberos database (6)" .
Symptoms:
- User can face login failure issues.
- Kerberos Authentication fails.
- Unable to configure Kerberos Authentication.
- The Spotfire Server log file shows an ERROR stack trace with the string "Caused by: KrbException: Client not found in Kerberos database (6)" .
================= Full ERROR Stack Trace ====================================================
ERROR 2014-01-27T17:03:20,020-0200 [] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public com.spotfire.server.security.AuthenticationManager com.spotfire.server.security.AuthenticationManagerFactory.createAuthenticationManager(com.spotfire.server.security.JAASInitializer) throws com.spotfire.server.ServerInitializationException] threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:983)
..................
..................
Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public com.spotfire.server.security.AuthenticationManager com.spotfire.server.security.AuthenticationManagerFactory.createAuthenticationManager(com.spotfire.server.security.JAASInitializer) throws com.spotfire.server.ServerInitializationException] threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:157)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:570)
... 38 more
Caused by: com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
at com.spotfire.server.security.AuthenticationManagerFactory.createAuthenticationManager(AuthenticationManagerFactory.java:102)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
................
... 39 more
Caused by: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
................
... 44 more
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
................
... 57 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
................
... 61 more
=====================================================================
This error can also be found during 'kinit' testing of the Keytab file as well (Note: The full error stack trace may be different).
Cause:
This error can be caused by the following:
- The keytab file may have been generated or mapped improperly.
- There is a duplicate SPN (ServicePrincipalNames) in Domain Controller.
- There is a duplicate UPN (userPrinclipalNames) in Domain Controller
- The used service account may have been deleted or disabled or its password has been changed/reset.
Resolution #1:
- Open the command/shell prompt on the Spotfire Server machine.
- Run following command:
kinit HTTP/<fully qualified SPN>@<Your DNS DOMAIN_NAME in Capital>
Example: kinit HTTP/myspotfireserver.mydomain.com@MYDOMAIN.COM
When prompted, enter the correct password used to create the Keytab file.
If the "New ticket is stored in cache file" message is generated after running the above command then the keytab file generated earlier is incorrect. Create a new keytab file to resolve the issue.
Resolution #2:
- Open the command prompt on the Spotfire Server machine or on the Domain Controller machine.
- Execute the following command:
setspn -x
This command looks for duplicate SPNs registered in the domain. If duplicate SPNs are found for Spotfire Server, then delete them using the 'setspn -D' command or contact your Domain Administrator to remove the duplicate ones.
- Create a new Keytab file and test.
Resolution #3:
- Ask the domain controller Administrator to check for duplicate UPNs (userPrincipalName) in the Domain and remove them.
- Recreate the Keytab file and check.
Resolution #4:
Check if the service account used for registering the SPN is disabled/deleted or if its password has been changed or expired.
- If the account is deleted then recreate the account and follow all Kerberos setup steps to reconfigure.
- If the account is disabled ,enable it.
- If the password has been changed/reset, recreate the Keytab with a new password. (Note: In this case the above stack trace will have the error message, " Pre-authentication information was invalid (24)".
http://technet.microsoft.com/en-us/library/dn535779.aspx
http://support.microsoft.com/kb/230476
http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/