Troubleshooting IPfonix, Inc. KDCs

While we are happy to help customers troubleshoot apparent problems in our KDCs, we do ask that, before contacting us to notify us of a problem, you:

1. Make sure that you understand the requirements in the PacketCable security specification.
   The Security specification is quite a complex (but very complete) document. Some of the details associated with the PacketCable use of Kerberos are non-obvious. Be certain that you understand exactly how the specification requires the KDC to function before contacting us about an apparent discrepancy between the actual behaviour and the behaviour as defined in the specification.
2. Check your kdc.ini file against the documentation in the KDC User Guide very, very carefully.
   Almost all of the “errors” that people tell us about are actually a result of mis-spelling or misunderstanding about how the kdc.ini file is processed. To help you determine how the KDC is interreting your kdc.ini file, look carefully at the information printed to the KDC log file when the KDC starts up. Most of the commands in the kdc.ini file cause the KDC to output informational text into the logfile, reflecting the way in which the KDC has interpreted the command. If the contents of the logfile do not match what you expect to see, we recommend that you examine every character in the command in the kdc.ini file, to make sure that there are no non-printing characters, mis-spellings, etc.

If you do have to contact us, please include a copy of the logfile and your kdc.ini file.

Problem: The KDC complains that the license file cannot be verified, even though it has not expired

Check that the contents of the file have not been in any way altered from the license as it was e-mailed to you. We do verify that license files function correctly before sending them out.

Also, check that the license matches the version of the KDC that you are using. PacketCable, CableHome and PacketCable/CableHome license files differ slightly from one another, and each will function correctly only on the version of the KDC for which it was generated.

Problem: The KDC ignores changes to the kdc.ini file

Check that you have included a [compliance] section with the line:

compliant = false

Problem: The KDC seems to operate OK, but when I look at the log it says that there were errors reading the private key file

The KDC_private_key can be in any one of three formats: PKCS#1, PKCS#8 and the proprietary format described in the User Guide. The KDC will attempt to parse the file in each of these formats in turn, until it finds a match. If the KDC attempts to read the file in an incorrect format, it will generate an error message before moving to the next format.

Problem: The KDC rejects the certificates I have provisioned, or the KDC rejects the certificates in the AS-REQ

One or more certificates do not meet the requirements in the security specification. The KDC does (usually) try to explain in the log file what is wrong. If you are not certain that you understand the relationship among the various certificates that must be provisioned on to the KDC, please look at our configuration TiddlyWiki.