You can enable debug logging for the Krb5LoginModule of the JVM by setting the following JVM options in the application web container in which AM runs:-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true
This setting adds additional debug output from the Krb5LoginModule to the stdout, which allows you to trace the program's execution of the Kerberos V5 protocol.
Additionally, you can set the following JVM option to enable debug logging for the SPNEGO token:-Dsun.security.spnego.debug=true
You should also ensure you have enabled Message level debugging in the AM debug logs as this provides much more information in the Authentication log. See Maintenance Guide › Debug Logging (AM 7 and later) or How do I enable Message level debugging in AM (All versions) debug files? for further information.
Example using Apache Tomcat™ web container
With AM running in the Tomcat web container, you would enable debug logging by specifying CATALINA_OPTS settings in the setenv.sh file (typically located in the /tomcat/bin/ directory). If this file doesn't exist, you should create it in the same directory as the catalina.sh file (located in the /tomcat/bin/ directory).
To enable debug logging:
- Add the following line to the setenv.sh file: export CATALINA_OPTS="-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dsun.security.spnego.debug=true"
- Restart the web container.
The additional debug output will be sent to the Tomcat catalina.out log file by default.
If you can't find an issue on the AM side or instead believe it to be an issue on the Microsoft® Windows® side, you can enable Kerberos event logging on the Windows / Active Directory® server as detailed in: Microsoft - How to enable Kerberos event logging.