How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I enable debug logging for troubleshooting Kerberos and WDSSO issues in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on enabling debug logging for troubleshooting Kerberos™ and Windows Desktop SSO (WDSSO) issues in AM. This information applies if you are using the Kerberos authentication node or the WDSSO authentication module. Debug logging applies to the Krb5LoginModule of the JVM used by the web application container; this module is called by AM for Kerberos authentication.

3 readers recommend this article

Enabling debug logging

You can enable debug logging for the Krb5LoginModule of the JVM by setting the following JVM options in the application web container in which AM runs:

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true

This setting adds additional debug output from the Krb5LoginModule to the stdout, which allows you to trace the program's execution of the Kerberos V5 protocol.

Additionally, you can set the following JVM option to enable debug logging for the SPNEGO token:

-Dsun.security.spnego.debug=true
Note

You should also ensure you have enabled Message level debugging in the AM debug logs as this provides much more information in the Authentication log. See Debug logging (AM 7 and later) or How do I enable Message level debugging in AM 6.x debug files? for further information.

Example using Apache Tomcat™ web container

With AM running in the Tomcat web container, you would enable debug logging by specifying CATALINA_OPTS settings in the setenv.sh file (typically located in the /tomcat/bin/ directory). If this file doesn't exist, you should create it in the same directory as the catalina.sh file (located in the /tomcat/bin/ directory).

To enable debug logging:

  1. Add the following line to the setenv.sh file: export CATALINA_OPTS="-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dsun.security.spnego.debug=true"
  2. Restart the web container.

The additional debug output will be sent to the Tomcat catalina.out log file by default.

Note

If you can't find an issue on the AM side or instead believe it to be an issue on the Microsoft® Windows® side, you can enable Kerberos event logging on the Windows / Active Directory® server as detailed in: Microsoft - How to enable Kerberos event logging.

See Also

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

How do I set up Kerberos authentication in AM (All versions)?

How do I collect all the data required for troubleshooting AM and Agents (All versions)?

How do I record troubleshooting information in AM (All versions)?

Configuring and troubleshooting Kerberos and WDSSO in AM

OpenAM Windows Desktop SSO deep dive – part 1

Java 11 - Troubleshooting Kerberos Login

Java 8 - Troubleshooting Kerberos Login

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.