A.3. Investigating IdM Web UI Authentication Failures
- Make sure the user can authenticate from the command line using the
kinitutility. If the authentication fails, see also Section A.2, “InvestigatingkinitAuthentication Failures”. - Make sure that the
httpdanddirsrvservices on the affected server are running:# systemctl status httpd.service # systemctl status dirsrv@IPA-EXAMPLE-COM.service
- Make sure no related SELinux Access Vector Cache (AVC) messages are logged in the
/var/log/audit/audit.logand/var/log/messagesfiles.See Basic SELinux Troubleshooting in CLI in the Red Hat Knowledgebase for details on resolving AVC messages. - Make sure that cookies are enabled on the browser from which you are authenticating.
- Make sure that the time difference between the IdM server and the system on which you are authenticating is 5 minutes at the most.
- Review the Apache error log:
/var/log/httpd/error_log. - Enable verbose logging for the authentication process to help diagnose the problem. See Troubleshooting Firefox Kerberos Configuration in the System-Level Authentication Guide for advice on how to enable verbose logging in Firefox.
If you are having problems when logging in using certificates:
- In the
/etc/httpd/conf.d/nss.conffile, change theLogLevelattribute toinfo. - Restart the Apache server:
# systemctl restart httpd - Try logging in with the certificate again.
- Review the Apache error log:
/var/log/httpd/error_log.The log shows messages recorded by themod_lookup_identitymodule, including information about whether the module successfully matched the user during the login attempt or not.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.
