A.3. Investigating IdM Web UI Authentication Failures
- Make sure the user can authenticate from the command line using the
kinit
utility. If the authentication fails, see also Section A.2, “Investigatingkinit
Authentication Failures”. - Make sure that the
httpd
anddirsrv
services on the affected server are running:# systemctl status httpd.service # systemctl status dirsrv@IPA-EXAMPLE-COM.service
- Make sure no related SELinux Access Vector Cache (AVC) messages are logged in the
/var/log/audit/audit.log
and/var/log/messages
files.See Basic SELinux Troubleshooting in CLI in the Red Hat Knowledgebase for details on resolving AVC messages. - Make sure that cookies are enabled on the browser from which you are authenticating.
- Make sure that the time difference between the IdM server and the system on which you are authenticating is 5 minutes at the most.
- Review the Apache error log:
/var/log/httpd/error_log
. - Enable verbose logging for the authentication process to help diagnose the problem. See Troubleshooting Firefox Kerberos Configuration in the System-Level Authentication Guide for advice on how to enable verbose logging in Firefox.
If you are having problems when logging in using certificates:
- In the
/etc/httpd/conf.d/nss.conf
file, change theLogLevel
attribute toinfo
. - Restart the Apache server:
# systemctl restart httpd
- Try logging in with the certificate again.
- Review the Apache error log:
/var/log/httpd/error_log
.The log shows messages recorded by themod_lookup_identity
module, including information about whether the module successfully matched the user during the login attempt or not.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.