[DOCS] Add Kerberos troubleshooting documentation (#32803)

This commit adds troubleshooting section for Kerberos.
Most of the times the problems seen are caused due to invalid
configurations like keytab missing principals or credentials
not up to date. Time synchronization is an important part for
Kerberos infrastructure and the time skew can cause problems.
To debug further documentation explains how to enable JAAS
Kerberos login module debugging and Kerberos/SPNEGO debugging
by setting JVM system properties.

Author: bizybot

x-pack/docs/en/security/troubleshooting.asciidoc

@@ -15,6 +15,7 @@ answers for frequently asked questions.
 * <<trb-security-maccurl>>
 * <<trb-security-sslhandshake>>
 * <<trb-security-ssl>>
+* <<trb-security-kerberos>>
 * <<trb-security-internalserver>>
 * <<trb-security-setup>>
 
@@ -319,6 +320,77 @@ In this case, you must install the
 <<ciphers, JCE Unlimited Strength Jurisdiction Policy Files>>.
 --
 
+[[trb-security-kerberos]]
+=== Common Kerberos exceptions
+
+*Symptoms:*
+
+* User authentication fails due to either GSS negotiation failure 
+or a service login failure (either on the server or in the {es} http client). 
+Some of the common exceptions are listed below with some tips to help resolve 
+them.
+
+*Resolution:*
+
+`Failure unspecified at GSS-API level (Mechanism level: Checksum failed)`::
++
+--
+
+When you see this error message on the HTTP client side, then it may be 
+related to an incorrect password.
+
+When you see this error message in the {es} server logs, then it may be 
+related to the {es} service keytab. The keytab file is present but it failed 
+to log in as the user. Please check the keytab expiry. Also check whether the 
+keytab contain up-to-date credentials; if not, replace them.
+
+You can use tools like `klist` or `ktab` to list principals inside 
+the keytab and validate them. You can use `kinit` to see if you can acquire 
+initial tickets using the keytab. Please check the tools and their documentation 
+in your Kerberos environment.
+
+Kerberos depends on proper hostname resolution, so please check your DNS infrastructure.
+Incorrect DNS setup, DNS SRV records or configuration for KDC servers in `krb5.conf` 
+can cause problems with hostname resolution.
+
+--
+
+`Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))`::
+
+`Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))`::
++
+--
+
+To prevent replay attacks, Kerberos V5 sets a maximum tolerance for computer 
+clock synchronization and it is typically 5 minutes. Please check whether 
+the time on the machines within the domain is in sync.
+
+--
+
+As Kerberos logs are often cryptic in nature and many things can go wrong 
+as it depends on external services like DNS and NTP. You might 
+have to enable additional debug logs to determine the root cause of the issue.
+
+{es} uses a JAAS (Java Authentication and Authorization Service) Kerberos login 
+module to provide Kerberos support. To enable debug logs on {es} for the login 
+module use following Kerberos realm setting:
+[source,yaml]
+----------------
+xpack.security.authc.realms.<realm-name>.krb.debug: true
+----------------
+
+For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings].
+
+Sometimes you may need to go deeper to understand the problem during SPNEGO 
+GSS context negotiation or look at the Kerberos message exchange. To enable 
+Kerberos/SPNEGO debug logging on JVM, add following JVM system properties:
+
+`-Dsun.security.krb5.debug=true`
+
+`-Dsun.security.spnego.debug=true`
+
+For more information about JVM system properties, see {ref}/jvm-options.html[configuring JVM options].
+
 [[trb-security-internalserver]]
 === Internal Server Error in Kibana