nskrb.debug is Blank from NS11.1 51 onward

book

Article ID: CTX223494

calendar_today

Updated On:

Description

Customers may notice that, that in newer versions of NS11.1 onward, the output from the nskrb.debug does not provide any output for Kerberos actions after the first logon for users.
Even if customer remove the cached tickets in /var/krb, they still will not see info in the debug log or see new tickets created in /var/krb

From NS11.1 51.x onward, Kerberos Ticket caching has been moved to in-memory for better performance.
Hence, after the first time, everything gets served from within packet engine. Hence, you will not see nskrb.debug output.

Due to this, logging for Kerberos has moved to ns.log instead.

Here is an example of the Kerberos logging in ns.log from a Lab environment:

Apr 27 08:31:05 <local0.debug> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 187 0 :  SPCBId 522 - ClientIP 10.90.41.39 - ClientPort 65087 - VserverServiceIP 10.90.47.197 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "100000002B725F3C69FE0251D500000000002B" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 14 11:45:31 2017 GMT" - ValidTo "Mar 14 11:45:31 2018 GMT"
Apr 27 08:31:05 <local0.debug> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 188 0 :  SPCBId 522 - IssuerName " DC=com,DC=FRANKLAB,CN=FRANKLAB-CAENT"
Apr 27 08:31:05 <local0.debug> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 189 0 :  SPCBId 522 - SubjectName " DC=com,DC=FRANKLAB,CN=Users,CN=Administrator/emailAddress=Administrator@franklab.com"
Apr 27 08:31:05 <local0.info> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM LOGIN 190 0 : Context administrator@franklab.com@10.90.41.39 - SessionId: 1- User administrator@franklab.com - Client_ip 10.90.41.39 - Nat_ip "Mapped Ip" - Vserver 10.90.47.197:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" - Group(s) "N/A"
Apr 27 08:31:05 <local0.info> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 191 0 :  "AAATM Login: created session for <administrator@franklab.com> with cookie: <3c500f2cde63c49e10db69fdae5441f4>"
Apr 27 08:31:05 <local0.debug> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM HTTPREQUEST 192 0 : Context administrator@franklab.com@10.90.41.39 - SessionId: 1- krbauth.franklab.com User administrator@franklab.com : Group(s) N/A : Vserver 10.90.47.197:443 - 04/27/2017:07:31:05 GMT : SSO is OFF : GET / - -
Apr 27 08:31:05 <local0.debug> 10.90.47.230 04/27/2017:07:31:05 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 193 0 :  "cookie idx is 12, tmaaa cookie -1, temp cookie -1"
Apr 27 08:31:06 <local0.debug> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 194 0 :  "SSO: Looking up PE cache for tickets for Administrator@FRANKLAB.COM@FRANKLAB-SF@FRANKLAB.COM of len 52"
Apr 27 08:31:06 <local0.err> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default SSLVPN Message 195 0 :  "Keberos resumeNotification; entry: 52 Administrator@FRANKLAB.COM@FRANKLAB-SF@FRANKLAB.COM not found, pcb_fip = 192.168.0.12, pcb_fport = 80"
Apr 27 08:31:06 <local0.debug> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 196 0 :  "SSO: S4U Response: Received code from aaad is 2"
Apr 27 08:31:06 <local0.info> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 197 0 :  "SSO: S4U response: Core 0 Received ticket for host FRANKLAB-SF, serialized ticket len 1497"
Apr 27 08:31:06 <local0.debug> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 198 0 :  "SSO: Inserting kerberos ticket for Administrator@FRANKLAB.COM@FRANKLAB-SF@FRANKLAB.COM of len 52 in DHT"
Apr 27 08:31:06 <local0.debug> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 199 0 :  "Kerberos DHT: Serialized dht entry; returning 1656 bytes of data, options:0"
Apr 27 08:31:06 <local0.debug> 10.90.47.230 04/27/2017:07:31:06 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 200 0 :  "Kerberos DHT: Serialized dht entry; returning 1656 bytes of data, options:20"


Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 201 0 :  SPCBId 530 - ClientIP 10.90.41.39 - ClientPort 65110 - VserverServiceIP 10.90.47.197 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "100000002B725F3C69FE0251D500000000002B" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 14 11:45:31 2017 GMT" - ValidTo "Mar 14 11:45:31 2018 GMT"
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 202 0 :  SPCBId 530 - IssuerName " DC=com,DC=FRANKLAB,CN=FRANKLAB-CAENT"
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 203 0 :  SPCBId 530 - SubjectName " DC=com,DC=FRANKLAB,CN=Users,CN=Administrator/emailAddress=Administrator@franklab.com"
Apr 27 08:31:34 <local0.info> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM LOGIN 204 0 : Context administrator@franklab.com@10.90.41.39 - SessionId: 2- User administrator@franklab.com - Client_ip 10.90.41.39 - Nat_ip "Mapped Ip" - Vserver 10.90.47.197:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" - Group(s) "N/A"
Apr 27 08:31:34 <local0.info> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 205 0 :  "AAATM Login: created session for <administrator@franklab.com> with cookie: <127eec02ec415c724fd572bc96c340f4>"
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM HTTPREQUEST 206 0 : Context administrator@franklab.com@10.90.41.39 - SessionId: 2- krbauth.franklab.com User administrator@franklab.com : Group(s) N/A : Vserver 10.90.47.197:443 - 04/27/2017:07:31:34 GMT : SSO is OFF : GET / - -
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 207 0 :  "cookie idx is 12, tmaaa cookie -1, temp cookie -1"
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 208 0 :  "SSO: Looking up PE cache for tickets for Administrator@FRANKLAB.COM@FRANKLAB-SF@FRANKLAB.COM of len 52"
Apr 27 08:31:34 <local0.debug> 10.90.47.230 04/27/2017:07:31:34 GMT FRANKLAB-NS11 0-PPE-0 : default AAATM Message 209 0 :  "SSO: Successfully found kerberos credentials in cache for FRANKLAB-SF"

Additional Information

CTX221693 - What is the difference between Negotiate and NTLM authentication?
CTX221696 - How does the NetScaler use Kerberos for Single Sign On?
CTX222453 - How to Configure the NetScaler for Kerberos Impersonation
CTX222386 - How does Negotiate authentication work on an AAA-TM vServer for Internal Clients?
CTX222568 - How does Negotiate authentication work on an AAA-TM vServer for External Clients?
CTX222443 - How does Client Certificate Authentication work with KCD Single Sign On?
CTX222444 - How does LDAP Authentication work with Kerberos Impersonation SSO?
CTX236593 - Another guide on How to configure NetScaler for KCD
CTX140575 - Detailed guide in PDF form on configuring NetScaler for KCD
CTX223494 - nskrb.debug is Blank

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"