FreeIPA Web UI login fails after upgrade to rocky 8

I’m trying to upgrade an old Centos 7 based FreeIPA setup to run on Rocky Linux 8

The server is installed with the command " ipa-replica-install --principal admin --admin-password ‘xxx’ --setup-dns --setup-ca --setup-kra --forwarder=10.18.38.9" and I didnt notice any errors

All seem to be working fine in the backend as far as I can see (lkinit etc)

But when I try to login to the Web UI the login failes with
Your session has expired. Please log in again.

Looking at /var/log/httpd/error_log I can see a the following error when trying to login in

[Wed Jun 04 15:11:49.072233 2025] [wsgi:error] [pid 2305:tid 139625594136320] [remote 172.17.0.3:44693] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.251'): SUCCESS
[Wed Jun 04 15:11:49.145416 2025] [wsgi:error] [pid 2306:tid 139625594136320] [remote 172.17.0.3:44695] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)
[Wed Jun 04 15:11:49.281768 2025] [wsgi:error] [pid 2306:tid 139625594136320] [remote 172.17.0.3:44695] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)

and in /var/log/krb5kdc.log

Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.18.38.11: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1749045392, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa02.opr.ngc.dk@HPC.NGC.DK for ldap/ipa02.opr.ngc.dk@HPC.NGC.DK, KDC policy rejects request
Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): closing down fd 11

edit . ok so I think I have identied the issue on

which indicated that tis is a uproblem with SIDs and the sollution should be to generate the SIDs with “ipa config-mod --enable-sid --add-sids” buth this command is not valid on my rocky 8.10 server

# ipa config-mod --enable-sid --add-sids
Usage: ipa [global-options] config-mod [options]

ipa: error: no such option: --enable-sid
# cat /etc/redhat-release
Rocky Linux release 8.10 (Green Obsidian)

# ipa --version
VERSION: 4.9.13, API_VERSION: 2.251

Do anyone have an idea how to fix this ?

Did you finish the migration and drop the CentOS 7 system(s)? If you have not, you really need to finish the migration before continuing.