Kerberos diagnostics logging

Owned by Steinar Line
Last updated: Jan 20, 2022 by Ole Kristian Aune (Unlicensed)
2 min read

For certain troubleshooting cases, it’s useful to log Kerberos clients to file. The rate and volume of failures can be so high that you don’t have time to look at them in the UI before they are pushed out.

This log is fairly low level but still a more curated than full-on DEBUG for everything. Log statements are written in standardized JSON format with keys "timestamp", "context" and "message" (the last containing several comma separated details form the fail) for easy analysis in log monitoring tools and look like this:

2019-11-11 15:23:07,231 https-jsse-nio-8443-exec-7 WARN anonymous 923x9201x1 bm4kxx 127.0.0.1 /rest/analytics/1.0/publish/bulk [com.kantegasso.DiagnosticsLog] {"timestamp":"2019-11-11 15:23:07,230","context":"Kerberos","message":"Authentication has FAILED, KerberosTicket: HTTP/kerberos-dev-local.example.com@EXAMPLE.LOCAL, EncType: 18, RequestUri: /jira/login.jsp, RemoteIP: 127.0.0.1, Reason: Failed to validate client token, Exception: GSSException: Failure unspecified at GSS-API level (Mechanism level:
Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)"}


Diagnostics logging is enabled the same way as audit logging, through the Atlassian application’s standard logging facilities. Follow the same procedure, just replace the logger name/category 'com.kantegasso.AuditLog' with 'com.kantegasso.DiagnosticsLog' in the examples above. In addition to enabling the logger categories, you must press the 'Enable failure collection' button on Client failures found from the 'Usage counters' page: