IPA WebGUI login fails with "Login failed due to an unknown reason"

Solution Verified - Updated -

Environment

  • Red Hat Identity Management
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

  • IPA WebGUI login fails with "Login failed due to an unknown reason"
  • After upgrading IPA, can no longer log into the WebGUI

Resolution

1. Open a Kerberos ticket as the Admin user:

# kinit admin

2. Generate new HTTP principals for the Apache Keytab:

# ipa-getkeytab -p HTTP/ipa-server.example.com@EXAMPLE.COM -k /var/lib/ipa/gssproxy/http.keytab

3. Restart Apache:

# systemctl restart httpd

Root Cause

1. The HTTP principals in /var/lib/ipa/gssproxy/http.keytab became outdated and were not refreshed.

2. The following error is seen in /var/log/httpd/error_log after enabling debugging:

[auth_gssapi:error] [pid 1234] [client 192.168.10.1:38650] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]

Diagnostic Steps

1. Create the file /etc/ipa/server.conf and populate it with the following information:

     [global]
     debug=True

2. Restart Apache:

# systemctl restart httpd

3. Try to log into the WebGUI.

4. Review /var/log/httpd/error_log.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments