Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Kerberos authentication fails in AM (All versions) with Receive timed out errors when DC or AD is unreachable

Last updated Jan 19, 2023

The purpose of this article is to provide assistance if Kerberos authentication fails in AM when the Kerberos™ Domain Controller (DC) or Active Directory® (AD) is unreachable (for example, it has been restarted). You will see errors similar to the following when this happens: "Error while performing service login javax.security.auth.login.LoginException: Receive timed out".

Symptoms

The Kerberos request hangs after a period of time and a timeout message is shown. 

The authentication journey stays on the Kerberos node until the timeout is reached and doesn't proceed with the authentication flow (for example, to use an alternative method such as username and password). 

An error similar to the following is shown when this happens:ERROR: Error while performing service login javax.security.auth.login.LoginException: Receive timed out   at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:788)     at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) ... Caused by: java.net.SocketTimeoutException: Receive timed outYou may also encounter similar timeout issues if you have multiple Keberos servers for failover purposes. For example, when one server becomes unavailable, subsequent requests will time out until the timeout period has been exceeded, at which point, further requests will proceed using the second server.

Recent Changes

The Kerberos DC has been rebooted.

Causes

The timeout period is too long, which prevents the authentication flow from proceeding. 

AM uses the JVM's Krb5Login module to facilitate Kerberos authentication, so these settings are outside of the control of AM. In turn, the JVM utilizes the krb5.conf file to control communication with the DC.

Solution

This issue can be resolved by adjusting the timeout and number of retries settings in the krb5.conf file. These settings are found in the libdefaults section as shown below (with default values):[libdefaults] ... kdc_timeout = 30000 max_retries = 3You should experiment with different settings to resolve your issue, but reducing the timeout should help. The timeout value is in ms.

Once you have adjusted these settings, you will need to restart the web container to apply your changes to the JVM. 

See Also

How do I specify multiple Kerberos servers in AM (All versions) for failover purposes?

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

Java 11: Kerberos Requirements

The Kerberos 5 GSS-API Mechanism

Related Training

N/A

Related Issue Tracker IDs

OPENAM-20444 (RFE to improve the way AM handles the Kerberos error)

OPENAM-20497 (Kerberos node - TGT should be acquired right before usage)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.