Windows Auto-login Error Logs

User logs in successfully

Verify the uaa.log if the TGT/Kerberos token is generated properly. It should start with YII. You can ignore the lengthy token value in the log entries.

[2022-02-22 19:29:41.949] cloudfoundry-identity-server - 14188 [http-nio-9480-exec-8] .... DEBUG --- SpnegoAuthenticationProcessingFilter: Received Negotiate Header for request https://win16-sachin.uaatestad.ge.com/uaa/: Negotiate YIIHVQYGKwY********

A local Windows (non-domain) user attempts Windows Auto-login (using query parameter in the URL) from a domain member machine

Browser displays an error. The error message also appears in uaa.log. The following error appears when attempting to login with domain name in the URL.

The following error appears when attempting to login with non-domain name in the URL.

Bad or missing keytab file (or) Bad SPN in uaa.yml file

The following errors appear in uaa.log.

[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[2022-02-21 19:09:21.839] cloudfoundry-identity-server - 13956 [http-nio-9480-exec-8] ....  WARN --- SpnegoAuthenticationProcessingFilter: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw==
org.springframework.security.authentication.BadCredentialsException: Bad Credentials excpetion. It could be due to keytab file and the SPN configuration.

Crypto Mismatch

A crypto mismatch occurs if the encryption algorithm specified while using ktpass.exe to generate keytab does not match what is supported by the service account.

[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Kerberos validation not successful. Encountered Bad Credentials Exception : Kerberos validation not successful
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
[2022-02-22 11:39:18.326] cloudfoundry-identity-server - 6084 [http-nio-9480-exec-3] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC

Clock skew between client and server

The following errors appear in uaa.log.

[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : null
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Clock skew too great (37)
[2022-02-19 13:14:55.556] cloudfoundry-identity-server - 14532 [http-nio-9480-exec-9] .... ERROR --- DynamicKerberosAuthenticationManager: Root cause for Kerberos validation failure : Clock skew too great (37)

Useful SPN commands

To view existing SPNs	setspn -F -Q HTTP/<FQDN> Example: setspn -F -Q HTTP/[email protected]
To delete SPN	setspn -D HTTP/<FQDN> <user account> Example: setspn -D HTTP/[email protected] ghost1

How to Un-Register an Existing Service Principal Name (SPN)

The following steps ensure the un-registration of the existing SPN and the necessary updates in Active Directory.

Step 1: Delete Any Other SPN (if exists)	Run the command setspn -D HTTP/thenameyougavetothespn spnUserName Replace: thenameyougavetothespn with the SPN you want to unregister spnUserName with the user who created the SPN being un-registered.
Optional step: Verify Un-Registration	Run the command setspn -F -Q HTTP/thenameyougavetothespn*
Step 2: Update Logon Name in Active Directory	Go to Active Directory. Open the properties of the existing spnUserName. Change the logon name from HTTP/uaaautologin2.uaatestad.ge.com to SAMAccountName or User logon name (pre-Windows 2000).

Resolving JWT Token Size and Autologin Challenges

When a user is assigned to many groups, there are issues with JWT token size, leading to rejection of requests by Tomcat due to the exceeded header size limit. Additionally, there are problems configuring autologin and logging into Operations Hub with the autologin feature, resulting in a "Bad Request" error.

This issue arises when a user is a member of many Active Directory user groups. The size of the HTTP request header, which contains the Kerberos token in the WWW-Authenticate header, increases with the number of user groups. If the header size exceeds the server-configured limits, the server rejects the request.