Troubleshooting IPfonix, Inc. KDCs
While we are happy to help customers troubleshoot apparent problems in our KDCs, we do ask that,
before
contacting us to notify us of a problem, you:
- Make sure that you understand the requirements in the PacketCable security specification.
The Security specification is quite a complex (but very complete) document. Some of the details
associated with the PacketCable use of Kerberos are non-obvious. Be certain that you understand exactly
how the specification requires the KDC to function before contacting us about an apparent discrepancy between
the actual behaviour and the behaviour as defined in the specification.
- Check your kdc.ini file against the documentation in the KDC User Guide very, very carefully.
Almost
all of the “errors” that people tell us about are actually a result of mis-spelling or misunderstanding
about how the kdc.ini file is processed. To help you determine how the KDC is interreting your kdc.ini file,
look carefully at the information printed to the KDC log file when the KDC starts up. Most of the commands in
the kdc.ini file cause the KDC to output informational text into the logfile, reflecting the way in which
the KDC has interpreted the command. If the contents of the logfile do not match what you expect to see,
we recommend that you examine every character in the command in the kdc.ini file, to make sure that there
are no non-printing characters, mis-spellings, etc.
If you do have to contact us, please include a copy of the logfile and your
kdc.ini file.
Problem: The KDC complains that the license file cannot be verified, even though it has not expired
Check that the contents of the file have not been in any way altered from the license as it was e-mailed to you. We do
verify that license files function correctly before sending them out.
Also, check that the license matches the version of the KDC that you are using. PacketCable, CableHome and PacketCable/CableHome
license files differ slightly from one another, and each will function correctly only on the version of the KDC for which
it was generated.
Problem: The KDC ignores changes to the kdc.ini file
Check that you have included a [compliance] section with the line:
compliant = false
Problem: The KDC seems to operate OK, but when I look at the log it says that there were errors reading the private key file
The
KDC_private_key can be in any one of three formats: PKCS#1, PKCS#8 and the proprietary format
described in the User Guide. The KDC will attempt to parse the file in each of these formats in turn, until it finds
a match. If the KDC attempts to read the file in an incorrect format, it will generate an error message before moving
to the next format.
Problem: The KDC rejects the certificates I have provisioned, or the KDC rejects the certificates in the AS-REQ
One or more certificates do not meet the requirements in the security specification. The KDC does (usually) try to explain in the
log file what is wrong. If you are not certain that you understand the relationship among the various certificates that must
be provisioned on to the KDC, please look at our
configuration TiddlyWiki.