Verify the Web Agent Configuration

Enable the Web Agent log and trace log in the Agent ACO to help troubleshoot the Web Agent.
Check Kerberos Configuration File
Check the settings in the Kerberos configuration file. In general, Kerberos can automatically locate KDCs using DNS SRV records. The critical items to be configured in the Kerberos configuration file are:
  • default_keytab_name
  • default_client_keytab_name
  • default_realm
  • default_ccache_name
  • forwardable
For information about the configuration file, see Configure a Kerberos Configuration File.
Check Keytab File
Verify that the following values in the keytab file are correct:
  • Verify that the name and location of keytab file for any host matches what is specified in the krb5.conf file.
  • The krb5.keytab files for the Policy Server and the web server/Web Agent hosts must contain the host and service principal names. Ensure that the name matches the value in the HttpServicePrincipal ACO parameter.
  • Always confirm the encryption type that is used while creating the keytab file. Windows by default supports RC4-HMAC encryption.
  • Restart the Policy Server and web server services after any changes are made to the Kerberos configuration or the keytab files.
  • Verify that the keytab file is valid:
    Windows:
    Verify whether the keytab file is valid. Use the Windows support tools on the Policy Server and Web Agent. Run the following command:
    kinit -k -t
    keytab_file_location
    respective_spn
    For example:
    kinit -k -t C:\Windows\webserver.keytab HTTP/[email protected]
    This command returns no error when the keytab file is valid.
    UNIX
    : Verify that the keytab files on the Policy Server and Web Agent are valid by running the following commands:
    kinit -k -t
    keytab_file
    service_principal_name
    For example:
    kinit -k -t krbsvc-smps.keytab smps/[email protected]
    kinit -k -t krbsv-smwa.keytab HTTP/[email protected]
    If you get no errors, keytab files are fine, and the krb.conf file has valid values. If you get an error, verify that the SPN is valid in the KDC using the following command:
    kinit host/
    This command usually asks for password. If you provide a valid password, you do not get an error message. If this command does not ask for password, the SPN was not identified. Check the property of that object. The SPN entry is on the Account tab, for example,
    host/fqdn
    . Verify that no other object has the same entry set as SPN.
List Keytab File on Windows Using KTPASS.EXE
The contents of a keytab file can be listed using the KTPASS.EXE command with either the
/in
option or
-in
option:
Example
: The following keytab file is listed using the
-in
option:
> ktpass -in C:\windows\krbsvc-smwa.keytab Existing keytab: Keytab version: 0x502 keysize 74 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x...) keysize 74 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x...) keysize 82 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x...) keysize 98 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x...) keysize 82 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0x...) WARNING: No principal name specified.
List Keytab File on Windows Using KLIST.EXE
The contents of a keytab file on Windows can also be listed using the KLIST.EXE command in Java.
> "C:\Program Files\Java\jdk1.8.0\bin\klist.exe" -e -k -t C:\Windows\krbsvc-smwa.keytab Key tab: C:\Windows\krbsvc-smwa.keytab, 5 entries found. [1] Service principal: HTTP/[email protected] KVNO: 8 Key type: 1 Time stamp: Dec 31, 1969 16:00:00 [2] Service principal: HTTP/[email protected] KVNO: 8 Key type: 3 Time stamp: Dec 31, 1969 16:00:00 [3] Service principal: HTTP/[email protected] KVNO: 8 Key type: 23 Time stamp: Dec 31, 1969 16:00:00 [4] Service principal: HTTP/[email protected] KVNO: 8 Key type: 18 Time stamp: Dec 31, 1969 16:00:00 [5] Service principal: HTTP/[email protected] KVNO: 8 Key type: 17 Time stamp: Dec 31, 1969 16:00:00
List Keytab File on Linux Using MIT Kerberos klist
The contents of a keytab file can be listed on Linux systems using the MIT Kerberos klist command. If Java is installed, then klist command of Java can be used as described in the previous section.
$ klist -e -k -t krbsvc-smwa.keytab Keytab name: FILE:krbsvc-smwa.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 8 01/01/70 00:00:00 HTTP/[email protected] (des-cbc-crc) 8 01/01/70 00:00:00 HTTP/[email protected] (des-cbc-md5) 8 01/01/70 00:00:00 HTTP/[email protected] (arcfour-hmac) 8 01/01/70 00:00:00 HTTP/[email protected] (aes256-cts-hmac-sha1-96) 8 01/01/70 00:00:00 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
Check Web Agent Authentication to KDC
The Web Agent performs the Kerberos authentication on the first request for the creds.kcc. Monitor the network traffic with a tool like Wireshark for capturing DNS and Kerberos traffic.
Note the following checks:
  • The Kerberos errors like KRB5KDC_ERR_PREAUTH_REQUIRED and KRB5KRB_ERR_RESPONSE_TOO_BIG are expected status codes that are returned by the KDC. They are typically not a symptom of problems with the Kerberos authentication.
  • Check for the successful AS-REQ/AS-REP messages between the Web Agent and the KDC. This phase is called
    obtaining initial credentials
    where the Web Agent, using the saved credentials in the keytab file, authenticates to the KDC and acquires a ticket granting ticket (TGT).
  • Check that the key version number in the AS-REP response message matches the key version number that is observed on the Client.
  • If the account under which the Web Agent process runs has been changed, then stop the Web Agent, delete the credential cache from the
    C:\windows\temp\krb5cc
    file and the  service cache from th
    C:\windows\temp\HTTP
    files, and start the Web Agent.
Check Policy Server Service Ticket from KDC
At this point, the Web Agent must be authenticated to the KDC and the Client must send Kerberos credentials in the HTTP request to the Kerberos credential collector. When the Web Agent receives the HTTP request, KDC is challenged for a service ticket using the TGS-REQ/TGS-REP messages.
Note the service ticket key version number that is returned by the KDC and ensure that it matches the key version number in the keytab file.
Check the network capture for TGS-REQ/TGS-REP messages for the "smps" ticket.
If a TGS-REQ message is not observed, then perform the following checks:
  • Check the packet capture for DNS traffic and confirm that the name in the SmpsServicePrincipal is resolved by DNS.
  • Check the Web Agent account on the KDC (usually Active Directory) and verify that the account is trusted for delegation. Configure unconstrained delegation using
    Trust this user for delegation to any service (Kerberos only)
    while troubleshooting. If that works, configure constrained delegation using
    Trust this user for delegation to specified services only
    and add the smps account/service to the list.