1. Check the permissions on /etc/opt/quest/vas/HTTP.keytab. It should be readable by the Apache daemon. The /opt/quest/sbin/setup-mod_auth_vas script might help with this. (NOTE: Please make sure that the script is using the correct path for the httpd.conf for the Apache server. Make use of the "-c" flag for controlling where the script should find this file if not in default location.)
2. Run "vastool klist -v" (on the client) and compare the kvno with the Vno of the service in "vastool ktutil -k /etc/opt/quest/vas/HTTP.keytab list" (on the server). If they do not match, it's likely that the Active Directory service account was recently created or modified and the client has outdated service tickets. On the client, run "vastool kdestroy" and "vastool kinit" to get a clean credential cache, then apply in the following format:
"vastool kinit -S HTTP/@" for example, "vastool kinit -S HTTP/xxx.domainname.com@domainname.com".
3. Run the server in strace and look for tell-tale errors. You can start apache with the -X flag to make it single-threaded (good for debugging).
4. The issue could also be an old ticket on the client. For a Windows client, the kerbtray utility from the Windows Resource kit is helpful. It can be downloaded from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88It installs an icon in the system tray. Use the "Purge Tickets" option to ensure there aren't old service tickets hanging around on the client, then lock and unlock the screen to get a new TGT (for getting new service tickets). That is equivalent to a 'vastool kdestroy; vastool kinit' on unix machines. As an alternative to using kerbtray, you can log out of the machine and log back on. Then the system will get a new service ticket when you next request the protected resource from the web server and hopefully it will work. Destroying service tickets is only necessary if the service object has been modified. Old service tickets usually expire automatically after about 8 hours. The quick method for affected users to get new service tickets is a logout, logon.
5. Windows klist tool is functionally equivalent to 'vastool klist', so the output of that could also be helpful:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=enThe error could be the result of accessing the service using a hostname other than that of the keytab/service account. vastool ktutil list (with options) can be used to check that.
MAV and all One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.
Main MAV GitHub page:
https://github.com/OneIdentity/mod_auth_vas
Latest MAV Packages:
https://github.com/OneIdentity/mod_auth_vas/releases
Open a MAV Issue:
https://github.com/OneIdentity/mod_auth_vas/issues
MAV Wiki:
https://github.com/OneIdentity/mod_auth_vas/wiki