A.3. Investigating IdM Web UI Authentication Failures

  1. Make sure the user can authenticate from the command line using the kinit utility. If the authentication fails, see also Section A.2, “Investigating kinit Authentication Failures”.
  2. Make sure that the httpd and dirsrv services on the affected server are running: 
    # systemctl status httpd.service
# systemctl status dirsrv@IPA-EXAMPLE-COM.service
  3. Make sure no related SELinux Access Vector Cache (AVC) messages are logged in the /var/log/audit/audit.log and /var/log/messages files.
    See Basic SELinux Troubleshooting in CLI in the Red Hat Knowledgebase for details on resolving AVC messages.
  4. Make sure that cookies are enabled on the browser from which you are authenticating.
  5. Make sure that the time difference between the IdM server and the system on which you are authenticating is 5 minutes at the most.
  6. Review the Apache error log: /var/log/httpd/error_log.
  7. Enable verbose logging for the authentication process to help diagnose the problem. See Firefox Configuration for Kerberos Troubleshooting in the System-Level Authentication Guide for advice on how to enable verbose logging in Firefox.
If you are having problems when logging in using certificates:
  1. In the /etc/httpd/conf.d/nss.conf file, change the LogLevel attribute to info.
  2. Restart the Apache server: 
    # systemctl restart httpd
  3. Try logging in with the certificate again.
  4. Review the Apache error log: /var/log/httpd/error_log.
    The log shows messages recorded by the mod_lookup_identity module, including information about whether the module successfully matched the user during the login attempt or not.

Related Information