Re: Make error messages more useful: add a URI (Roland Mainz)
Intranets have to have (at a minimum) a KDC.
So they could spin up a web server on that intranet and stage the URLs there. Or (as
someone else suggested) use file:// URLs.
I'm a huge fan of whatever can provide more meaningful error messages. I recently
spent about 3 weeks chasing down an obscure authentication failure. It kept complaining
about "invalid principal". So I'm double-checking, triple-checking this user principal.
KRB5_TRACE, etc was no help.
Finally, I ran an ancient KRB5 client on this host - which spat out more detailed meaningful
ancillary information. It output the offending principal. It was the host principal. It was
looking up and finding the host in the local domain, not the remote (trusted) domain in which
the host resided. Apparently, at one time in the far-distant past - this host had registered
in this domain.
I deleted the host principal in the local domain and then all worked.
I realize that modern KRB5 implementations display far less ancillary information than old versions.
I understand (due to internationalization/localization issues) that's necessary, but it makes it far harder
to troubleshoot. Especially in complex KRB5 topologies.