Versions Compared

Old Version 1

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version 2

changes.mady.by.user Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numberedheadings

System Preparation

Installing the Kerberos GSSAPI client and server utility

You now need to add the following items into the Windows Registry:

true

Debugging

Option 1 - Log to lsass.log

  1. After doing the preparation steps above, reboot the machine. SSP debug logging should now appear in C:\WIndows\System32\lsass.log. The lines relevant to the Moonshot SSP begin with "EAP-SSP".

This option is probably the easiest way to view the debug logging from the Moonshot SSP.

Option 2 - Gather trace information

If you just wish to see the Moonshot SSP logging in its own file, this option may be the best.

Once you have performed the above preparation work, start a Command Prompt session as an Administrator:

  • Click Start, All Programs, Accessories.

  • Right-click the Command Prompt entry, select Run as administrator.

    User Access Control

    You may be prompted to confirm whether you want to allow the program to make changes to the computer. Choose Yes.

    • Run the following command from the command prompt to start gathering trace information:

    powershell

    Once you've performed the actions you wish to debug, stop this by issuing the following command:

    powershell

    Now run the following common to create the trace log for you to look at.

    powershell

    If you just wish to see the Moonshot SSP logging in its own file - so that you don't have to sift through other non-relevant logs, this option may be the best.

    Option 3 - Using DebugView

    1. Once you've done the preparation work above, download DebugView from Microsoft (get it at Microsoft's site).
    2. Run DebugView as Administrator and capture global Win32 events.
    This final option is the trickiest and requires extra tools to be installed. It is, however, required to debug particularly thorny SSP issues

    RedHat, CentOS or Scientific Linux

    On RedHat, CentOS or Scientific Linux, install the Kerberos GSSAPI utilities by running the following command:

    bash

    Debian or Ubuntu

    On Debian or Ubuntu, install the Kerberos GSSAPI utilities by running the following command:

    bash

    Troubleshooting

    To troubleshoot a GSSAPI connection, you require two separate terminals.

    Window 1 - As root

    1. In the first window, as root, run the following command:

    2. You should now have the following output with no prompt:

    Window 2 - As your test user

    1. In the second window, as your test user, run the following command:

      powershell

    2. In a non-X environment (and no display forwarding), the identity is selected from the .gss_eap_id file in the test user's home directory. Create this file with the following content:

    3. In X, you should now be prompted to select an identity in the . Choose one that will authenticate locally.

    GSS Output

    After selecting your identity, you should now see output in both windows.

    Successful output

    1. In Window 1, the output should scroll rapidly with a lot of hex text before ending with something similar to the following:

    2. In Window 2, the output looks similar to the below:

    Failed output

    If the GSSAPI connection failed, you may see one or more errors in either window.

    1. In Window 1, you should see one or more messages similar to the below:

    2. In Window 2, you should see one or more error messages similar to the below:

    Now you will need to diagnose why the error occurred.