Kerberos authentication fails in AM (All versions) with Receive timed out errors when DC or AD is unreachable
The purpose of this article is to provide assistance if Kerberos authentication fails in AM when the Kerberos™ Domain Controller (DC) or Active Directory® (AD) is unreachable (for example, it has been restarted). You will see errors similar to the following when this happens: "Error while performing service login javax.security.auth.login.LoginException: Receive timed out".
Symptoms
The authentication journey stays on the Kerberos node until the timeout is reached and doesn't proceed with the authentication flow (for example, to use an alternative method such as username and password).
An error similar to the following is shown when this happens:ERROR: Error while performing service login javax.security.auth.login.LoginException: Receive timed out at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:788) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) ... Caused by: java.net.SocketTimeoutException: Receive timed outYou may also encounter similar timeout issues if you have multiple Keberos servers for failover purposes. For example, when one server becomes unavailable, subsequent requests will time out until the timeout period has been exceeded, at which point, further requests will proceed using the second server.
Recent Changes
The Kerberos DC has been rebooted.
Causes
The timeout period is too long, which prevents the authentication flow from proceeding.
AM uses the JVM's Krb5Login module to facilitate Kerberos authentication, so these settings are outside of the control of AM. In turn, the JVM utilizes the krb5.conf file to control communication with the DC.
Solution
This issue can be resolved by adjusting the timeout and number of retries settings in the krb5.conf file. These settings are found in the libdefaults section as shown below (with default values):[libdefaults] ... kdc_timeout = 30000 max_retries = 3You should experiment with different settings to resolve your issue, but reducing the timeout should help. The timeout value is in ms.
Once you have adjusted these settings, you will need to restart the web container to apply your changes to the JVM.
See Also
How do I specify multiple Kerberos servers in AM (All versions) for failover purposes?
How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?
Java 11: Kerberos Requirements
The Kerberos 5 GSS-API Mechanism
Related Training
N/A
Related Issue Tracker IDs
OPENAM-20444 (RFE to improve the way AM handles the Kerberos error)
OPENAM-20497 (Kerberos node - TGT should be acquired right before usage)