6 Feb 2011

iCal to kerberos: Secretly I hate you

So last week iCal Server stopped authenticating via kerberos. My machines were getting tickets all fine for other services but calDAV just was refusing to authenticate. SSL off or on I kept getting the error:
"The server responded with “HTTP/1.1 401 Unauthorized” to operation CalDAVAccountRefreshQueueableOperation."
I read several help threads that seem to describe a myriad of things that you can do to help in this situation and just about all of them amount to voodoo.

Deleting my user's caches wouldn't work because it affects different users on the same machine.
Backup, Demotion and re-promotion of my Open Directory server is a drastic measure I don't want to take lightly.

To make the riddle more confusing I had the following log lines in the Password Service Server Log:
KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000000, admin} is in good standing.
KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000000, admin} authentication succeeded.
So authentication succeeded but something else was well and truly broken.

In the end, after a lot of head banging the solution for me was simple. To get authentication to my CalDAV server to start working again I had to type in the FQDN (fully qualified domain name) explicitly in server admin for the CalDAV service

Save, restart, all good. Why it was working previously for months without that explicitly in there is a mystery to me. Also a mystery is CalDAV in general. From reading the internet this issue probably isn't your issue at all but it is a nice quick fix to add to your arsenal before you rebuild your Open Directory.

No comments: