Agent for Windows Authentication Guide › Troubleshoot using the Agent Trace Log File

Troubleshoot using the Agent Trace Log File

Troubleshoot the Federation Agent by referring to the trace log file, IWAConnectorTrace.log.

To set up the trace log file:

1. Navigate to %FEDROOT%\connectors\IWA\Config\login.conf.
2. Open the login.conf file and make the following change:

   debug=true

3. Restart the federation services.

The log file is written to the directory %FEDROOT%\logs\connectors\IWA\IWAConnectorTrace.log.

The log file can contain any of the following messages:

Symptom:

Config file not found.

Solution:

Make sure that the IWAConnectorConfig.conf file is present in the federation_install_dir\connectors\IWA\config folder.

Symptom:

Invalid authtype specified.

Solution:

Make sure the authentication type is specified as NTLM or Kerberos. Re-run the configuration wizard if necessary. Do not manually edit the configuration file to change this value.

Symptom:

NTLM is not supported on non-Windows platform.

Solution:

Re-run the configuration wizard and specify Kerberos as the authentication type. Do not manually edit the configuration file to change this value.

Symptom:

Password should be encrypted using the IWAEncryptPassword utility.

Solution:

Re-run the configuration wizard and enter the password. Do not manually edit the configuration file to change this value.

Symptom:

AuthType cannot be blank.

Solution:

Re-run the configuration wizard and select an authentication type. Do not manually edit the configuration file to change this value.

Symptom:

Encryption key cannot be blank.

Solution:

Re-run the configuration wizard and select an encryption key. Do not manually edit the configuration file to change this value.

Symptom:

Invalid Encryption Transform specified.

Solution:

Re-run the configuration wizard and specify another encryption transformation. Do not manually edit the configuration file to change this value.

Symptom:

Invalid HMAC value specified. Only true or false can be specified.

Solution:

Re-run the configuration wizard and select true or false for whether to enable HMAC. Do not manually edit the configuration file to change this value.

Symptom:

Kerberos configuration is invalid.

Solution:

Make sure the following parameters are specified correctly:

• Kerberos Realm
• KDC address
• Kerberos configuration file location (the login.conf file)

Re-run the configuration wizard if necessary. Do not manually edit the configuration file to change any of these values.

Symptom:

Context expiration interval cannot be less than 1 minute.

Solution:

Re-run the configuration wizard and specify a context expiration interval of longer than 1 minute. Do not manually edit the configuration file to change this value.

Symptom:

Invalid configuration. Server not initialized.

Solution:

Make sure the following values are specified correctly:

• Authentication type
• Encryption key
• Encryption Transform
• Kerberos Realm
• KDC Address
• Kerberos configuration file location (the login.conf file)

Re-run the configuration wizard if necessary. Do not manually edit the configuration file to change any of these values.

Symptom:

Aborting request as it is initiated with an IP address.

Solution:

Make sure that the SSO request is always initiated with a fully qualified domain name.

Symptom:

Kerberos initialization failed, please check the configuration parameters.

Solution:

Make sure the following values are specified correctly:

• Authentication type
• Encryption key
• Encryption Transform
• Kerberos Realm
• KDC Address
• Kerberos configuration file location (the login.conf file)

Re-run the configuration wizard if necessary. Do not manually edit the configuration file to change any of these values.

Symptom:

No cookie found; it is either expired or deleted.

Solution:

This message appears when the browser is configured incorrectly. Make sure that the browser configuration is complete for NTLM and that cookies are not disabled.

Symptom:

NTLM credentials cookie is not found.

Solution:

This message appears when the browser is configured incorrectly. Make sure that the browser configuration is complete for NTLM and that cookies are not disabled.

Symptom:

User domain or workstation information not found.

Solution:

This message appears when the domain name or the workstation name was not found in the NTLM type 3 message. Makes sure that this message has not been altered.

Symptom:

User has not entered the domain information.

Solution:

Make sure the browser configuration for NTLM authentication is complete. If you are using prompt-based authentication, make sure that the domain name is provided with the user name.

Symptom:

Authentication failed when attempting auth for principal SPN_Name to the KDC KDC_address, using keys in the Keytab keytab_path.

Solution:

Make sure that the following parameters are correct:

• Principal Name
• KDC Address
• Keytab Path

Symptom:

User Name not found; ensure that your browser is on a machine other than the federation server.

Solution:

Make sure that the SSO request is always made from a system other than the federation server at the asserting party.