You might experience difficulty when you configure Cert-to-Kerberos in your environment. You can use a variety of procedures for diagnosing and fixing these problems.

Error creating Kerberos context: clock skew too great

This error message:

ERROR:"wsportal.WsPortalEdgeService[createKerberosLoginContext: 119][39071f3d-9363-4e22-a8d9-5e288ac800fe]: Error creating kerberos context. 
Identity bridging may not work
javax.security.auth.login.LoginException: Clock skew too great"

displays when the Unified Access Gateway time and the AD server time are significantly out of sync. Reset the time on the AD server to match the exact UTC time on Unified Access Gateway.

Error creating Kerberos context: name or service not known

This error message:

wsportal.WsPortalEdgeService[createKerberosLoginContext: 133][]: Error creating kerberos context. 
Identity bridging may not work 
javax.security.auth.login.LoginException: Name or service not known

displays when the Unified Access Gateway is unable to reach the configured realm or unable to connect to KDC with the user details in the keytab file. Confirm the following:

  • the keytab file is generated with the correct SPN user account password and uploaded to Unified Access Gateway

  • the back end application IP address and hostname are added correctly in host entries.

Error Message: unable to retrieve client certificate from session: <sessionId>

If this message displays:

  • Check the X.509 certificate settings and determine whether or not it is configured

  • If X.509 certificate settings is configured: check the client certificate installed on the client side browser to see if is issued by the same CA uploaded in the field "Root and Intermediate CA Certificates" in the X.509 certificate settings.

Error Message: Internal error. Please contact your administrator

Check the /opt/vmware/gateway/logs/authbroker.log for the message

"OSCP validation of CN=clientCert, OU=EUC, O=<org name>, ST=<state name>, C=IN failed with "Could not send OCSP request to responder: Connection refused (Connection refused) , will not attempt CRL validation"

This indicates that the OCSP URL configured in "X.509 Certificate" is not reachable or incorrect.

Error when OCSP certificate is invalid

"revocation.RevocationCheck: OSCP validation of CN=clientCert failed with "Could not verify signing certificate for OCSP responder:http://asdkad01/ocsp". will attempt CRL validation."

displays when an invalid certificate for OCSP is uploaded or if the OCSP certificate is revoked.

Error when OCSP response verification fails

"WARN ocsp.BouncyCastleOCSPHandler: Failed to verify OCSP response: CN=asdkAD01.Asdk.ADrevocation.RevocationCheck: 08/23 14:25:49,975" [tomcat-http--26] WARN revocation.RevocationCheck: OSCP validation of CN=clientCert failed with "Could not verify signing certificate for OCSP responder: http://asdkad01/ocsp". will attempt CRL validation."

sometimes displays when OCSP response verification fails.