ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamztroubleshoot.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Troubleshoot" />
<meta name="abstract" content="Use this information to resolve some common errors that you might experience while configuring and using a single signon environment." />
<meta name="description" content="Use this information to resolve some common errors that you might experience while configuring and using a single signon environment." />
<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhtrouble.htm" />
<meta name="DC.Relation" scheme="URI" content="http://www.dns.net/dnsrd/rfc/rfc1713.html" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvtrblshoot.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamztroubleshoot" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot</title>
</head>
<body id="rzamztroubleshoot"><a name="rzamztroubleshoot"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot</h1>
<div><p>Use this information to resolve some common errors
that you might experience while configuring and using a single signon environment.</p>
<div class="section">There are several actions that you can take to circumvent problems
with your <span class="keyword">i5/OS™</span> single
signon configuration:</div>
<ol><li class="stepexpand"><span>You can confirm that your network authentication service configuration
is correct by performing the qshell <samp class="codeph">kinit</samp> command. </span> To do this, enter the qshell environment and issue the <samp class="codeph">kinit
-k &lt;service name&gt;</samp> command. This command uses the keytab entry
that was created in the network authentication service wizard. This command
verifies that the encrypted password for the service is the same password
that is stored on the KDC. If this command does not complete successfully,
revisit your <a href="../rzakh/rzakhconfig.htm">network
authentication service configuration</a>.</li>
<li class="stepexpand"><span><a href="../rzakh/rzakhpdns.htm">Verify
your host name resolution configurations</a>, including your DNS server(s).</span></li>
<li class="stepexpand"><span>Verify the EIM system configuration information on each <span class="keyword">i5/OS</span> system that performs mapping
lookup operations.</span><ol type="a"><li><span>Using <span class="keyword">iSeries™ Navigator</span>,
sign on to the system.</span></li>
<li><span>Select the system, and expand <span class="uicontrol">Network--&gt;Enterprise
Identity Mapping--&gt;Configuration</span>.</span></li>
<li><span>Right-click the <span class="uicontrol">Configuration</span> folder
and select <span class="uicontrol">Properties</span>.</span></li>
<li><span>On the <span class="uicontrol">Domain</span> page, verify the domain
connection settings and click <span class="uicontrol">Verify Configuration</span>.
This verifies that the domain controller is active and that the settings for
the domain controller are correct.</span></li>
<li><span>On the <span class="uicontrol">System User</span> page, click <span class="uicontrol">Verify
Connection</span> to verify that the system user is specified correctly.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Verify defined EIM associations by using the <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> function
to verify that the associations you have defined provide the mappings you
expect.</span></li>
<li class="stepexpand"><span>If your single signon configuration includes a multiple tier network,
verify that ticket delegation is enabled for the server in the middle tier.
This is required for the middle tier server to forward user credentials to
the next server. You can enable ticket delegation on the Active Directory
or Kerberos server. An example of a multiple tier network is a PC which authenticates
with one server and then connects to another server.</span></li>
</ol>
<div class="section"><p>If you are still experiencing a problem with your single signon
after reviewing the steps above, use the following table to determine possible
solutions to the symptoms of your configuration problems:</p>
<div class="p">
<div class="tablenoborder"><a name="rzamztroubleshoot__troubletable"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzamztroubleshoot__troubletable" frame="border" border="1" rules="all"><thead align="left"><tr><th align="center" valign="top" width="34.715025906735754%" id="d0e109"><strong>Symptoms</strong></th>
<th align="center" valign="top" width="65.28497409326425%" id="d0e112"><strong>Possible solutions</strong></th>
</tr>
</thead>
<tbody><tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>Host name resolution
problems</strong></p>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">You are unable to connect to <span class="keyword">i5/OS</span> systems
within your single signon environment.</td>
<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>This may be due to host resolution problems. Verify the PC and <span class="keyword">iSeries</span> resolves to the same host name. <a href="../rzakh/rzakhpdns.htm">Verify your host
name resolution configurations</a>, including your DNS server.</li>
<li>This may be due to NAS configuration problems. See the <a href="../rzakh/rzakhtrouble.htm">Troubleshoot network authentication
service</a> information in the <span class="keyword">iSeries Information Center</span>.</li>
</ul>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">The <samp class="codeph">NSLOOKUP</samp> utility fails to resolve
a host name when given an IP address during an attempt to confirm that the
host resolution is consistent between your <span class="keyword">iSeries</span> system
and a client PC. </td>
<td valign="top" width="65.28497409326425%" headers="d0e112 ">The <samp class="codeph">NSLOOKUP</samp> utility uses the currently
configured DNS to resolve IP addresses from host names, as well as host names
from IP addresses. If a host name cannot be resolved from an IP address, the
most likely cause is a missing PTR record in DNS. Have your DNS administrator
add a PTR record for this IP address.</td>
</tr>
<tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>EIM configuration
problems</strong></p>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">EIM mappings are not working as expected. In some instances,
you are unable to sign into <span class="keyword">iSeries Navigator</span> when
using Kerberos authentication.</td>
<td valign="top" width="65.28497409326425%" headers="d0e112 "> <ul><li>The domain controller is inactive.  Activate the domain controller.</li>
<li>The EIM configuration is incorrect on the system or systems that you are
trying to use Kerberos authentication with or get mappings for. Verify your
EIM configuration. Expand <span class="uicontrol">Network--&gt;Enterprise Identity Mapping--&gt;Configuration</span> on
the system that you are trying to authenticate with. Right-click the <span class="uicontrol">Configuration</span> folder
and select <span class="uicontrol">Properties</span> and verify the following:<ul><li><strong>Domain </strong> page:<ul><li>The domain controller name and port numbers are correct.</li>
<li>Click <span class="uicontrol">Verify Configuration</span> to verify that the domain
controller is active.</li>
<li>The local registry name is specified correctly</li>
<li>The Kerberos registry name is specified correctly.</li>
<li>Verify that <span class="uicontrol">Enable EIM operations for this system</span> is
selected.</li>
</ul>
 </li>
<li><strong>System user </strong> page:<ul><li>The specified user has sufficient EIM access control to perform a mapping
lookup, and the password is valid for the user. See the online help to learn
more about the different types of user credentials.<div class="note"><span class="notetitle">Note:</span> Whenever passwords
are updated in the directory server, they must also be updated in the system
configuration.</div>
</li>
<li>Click <span class="uicontrol">Verify Connection</span> to confirm that the user
information specified is correct.</li>
</ul>
</li>
</ul>
</li>
<li>The EIM domain configuration is incorrect:<div class="note"><span class="notetitle">Note:</span> You can <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> to
help verify that the associations for your EIM domain are properly configured.</div>
<ul><li>A target or source association for an EIM identifier is not set up correctly.
For example, there is no source association for the Kerberos principal (or
windows user) or it is incorrect. Or, the target association specifies an
incorrect user identity. <a href="../rzalv/rzalvdsplyallidentassocs.htm">Display all identifier associations for an EIM identifier</a> to
verify associations for a specific identifier.</li>
<li>A policy association is not set up correctly. <a href="../rzalv/rzalvdsplyallpoliciesdomain.htm">Display all policy associations for a domain</a> to verify
source and target information for all policy associations defined in the domain.</li>
<li>Mapping lookups are returning more than one target identity, indicating
that ambiguous mappings are configured. <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> to identify which mappings are incorrect.</li>
<li>The registry definition and user identities do not match because of case
sensitivity. You can delete and re-create the registry, or delete and re-create
the association with the proper case.</li>
</ul>
</li>
<li>EIM support is not enabled.<ul><li>EIM has been disabled for the system. Verify that <span class="uicontrol">Enable EIM
operations for this system</span> is selected on the <span class="uicontrol">Domain</span> page
for the system EIM configuration properties (Expand <span class="uicontrol">Network--&gt;Enterprise
Identity Mapping--&gt;Configuration folder--&gt;Properties</span>.)</li>
<li>Policy association support is not enabled at the domain level. You may
need to <a href="../rzalv/rzalvenablepoliciesfordomain.htm">enable policy associations for a domain</a>.</li>
<li>Mapping lookup support or policy association support is not enabled at
the individual registry level. You may need to <a href="../rzalv/rzalvenablepoliciesforregistry.htm">enable mapping lookup support and the use of policy associations
for the target registry</a>. </li>
</ul>
</li>
</ul>
</td>
</tr>
<tr><td class="oddrowgrey" colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>Network
authentication service configuration problems</strong></p>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">A <samp class="codeph">keytab entry</samp> is not found when you
perform a <samp class="codeph">keytab list</samp>.</td>
<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>This can be due to a host resolution problem on the <span class="keyword">iSeries</span> system.
If you are using a host table, perform the <samp class="codeph">CFGTCP</samp> command,
option 10 and verify that the primary host name is listed first for the IP
address of the server.</li>
<li><a href="../rzakh/rzakhpdns.htm">Verify
your host name resolution configurations</a>, including your DNS server.</li>
</ul>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">Users are unable to connect to systems. </td>
<td valign="top" width="65.28497409326425%" headers="d0e112 ">Users may be unable to connect to systems if the EIM
registry definition for the Kerberos registry was inappropriately defined
as case sensitive. Delete and re-create the Kerberos registry. <div class="note"><span class="notetitle">Note:</span> You will
lose any associations that have been defined for that registry and will have
to re-create them.</div>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives a message indicating an incorrect password
when verifying the network authentication service configuration.</td>
<td valign="top" width="65.28497409326425%" headers="d0e112 ">The password for the service in the KDC does not match
the password for the service in the keytab. Update the keytab entry by using
the keytab add command, and update the password for the service on the KDC.</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives the following message: <samp class="codeph">Unable
to obtain name of default credentials cache</samp>.</td>
<td valign="top" width="65.28497409326425%" headers="d0e112 ">Verify that a home directory<samp class="codeph"> (/home/&lt;user
profile&gt;)</samp> exists for the user that is performing the <samp class="codeph">kinit</samp>. </td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives the following message: <samp class="codeph">Response
too large for datagram.</samp></td>
<td valign="top" width="65.28497409326425%" headers="d0e112 ">Update the network authentication service configuration
to use TCP as the data communications protocol:<ol><li>Using <span class="keyword">iSeries Navigator</span>, select
the system that issued the message.</li>
<li><span class="uicontrol">Select Security--&gt;Network Authentication Service properties</span>.</li>
<li>On the <span class="uicontrol">General</span> page, select <span class="uicontrol">Use TCP</span> and
click <span class="uicontrol">Ok</span>.</li>
</ol>
</td>
</tr>
<tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>General problems</strong></p>
</td>
</tr>
<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">You receive error message <samp class="codeph">CWBSY10XX</samp> when
attempting single signon. </td>
<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>Use the help associated with the text to resolve the problem.</li>
<li>Use the <span class="keyword">iSeries</span> Access
detail trace feature to determine if the appropriate Kerberos ticket is retrieved.</li>
<li>Download the Microsoft<sup>®</sup> kerbtray utility to verify that the user
has Kerberos credentials.</li>
<li>If <span class="keyword">iSeries Navigator</span> single signon
is failing, check the <samp class="codeph">QZSOSIGN</samp> jobs in the <samp class="codeph">QUSRWRK</samp> subsystem.
Search through the jobs for a <samp class="codeph">CPD3E3F</samp> message. If you find
the <samp class="codeph">CPD3E3F</samp> message, use the recovery information provided
within the message. The diagnostic message contains both major and minor status
codes to indicate where the problem occurred. The most common errors are documented
in the message along with the recovery.</li>
<li>If PC5250 is failing, check the following:<ul><li>Check the <samp class="codeph">QTVDEVICE</samp> jobs for the <samp class="codeph">CPD3E3F</samp> message.</li>
<li>Check the <samp class="codeph">QRMTSIGN</samp> system value and verify it is set
to <samp class="codeph">*VERIFY</samp> or <samp class="codeph">*SAMEPRF</samp>.</li>
</ul>
</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzakh/rzakhtrouble.htm">Troubleshoot network authentication service</a></div>
<div><a href="http://www.dns.net/dnsrd/rfc/rfc1713.html">Tools for DNS debugging</a></div>
<div><a href="../rzalv/rzalvtrblshoot.htm">Troubleshoot EIM.</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="task" />`
			`<meta name="DC.Title" content="Troubleshoot" />`
			`<meta name="abstract" content="Use this information to resolve some common errors that you might experience while configuring and using a single signon environment." />`
			`<meta name="description" content="Use this information to resolve some common errors that you might experience while configuring and using a single signon environment." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhtrouble.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="http://www.dns.net/dnsrd/rfc/rfc1713.html" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvtrblshoot.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzamztroubleshoot" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Troubleshoot</title>`
			`</head>`
			`<body id="rzamztroubleshoot"><a name="rzamztroubleshoot"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Troubleshoot</h1>`
			`<div><p>Use this information to resolve some common errors`
			`that you might experience while configuring and using a single signon environment.</p>`
			`<div class="section">There are several actions that you can take to circumvent problems`
			`with your <span class="keyword">i5/OS™</span> single`
			`signon configuration:</div>`
			`<ol><li class="stepexpand"><span>You can confirm that your network authentication service configuration`
			`is correct by performing the qshell <samp class="codeph">kinit</samp> command. </span> To do this, enter the qshell environment and issue the <samp class="codeph">kinit`
			`-k <service name></samp> command. This command uses the keytab entry`
			`that was created in the network authentication service wizard. This command`
			`verifies that the encrypted password for the service is the same password`
			`that is stored on the KDC. If this command does not complete successfully,`
			`revisit your <a href="../rzakh/rzakhconfig.htm">network`
			`authentication service configuration</a>.</li>`
			`<li class="stepexpand"><span><a href="../rzakh/rzakhpdns.htm">Verify`
			`your host name resolution configurations</a>, including your DNS server(s).</span></li>`
			`<li class="stepexpand"><span>Verify the EIM system configuration information on each <span class="keyword">i5/OS</span> system that performs mapping`
			`lookup operations.</span><ol type="a"><li><span>Using <span class="keyword">iSeries™ Navigator</span>,`
			`sign on to the system.</span></li>`
			`<li><span>Select the system, and expand <span class="uicontrol">Network-->Enterprise`
			`Identity Mapping-->Configuration</span>.</span></li>`
			`<li><span>Right-click the <span class="uicontrol">Configuration</span> folder`
			`and select <span class="uicontrol">Properties</span>.</span></li>`
			`<li><span>On the <span class="uicontrol">Domain</span> page, verify the domain`
			`connection settings and click <span class="uicontrol">Verify Configuration</span>.`
			`This verifies that the domain controller is active and that the settings for`
			`the domain controller are correct.</span></li>`
			`<li><span>On the <span class="uicontrol">System User</span> page, click <span class="uicontrol">Verify`
			`Connection</span> to verify that the system user is specified correctly.</span></li>`
			`</ol>`
			`</li>`
			`<li class="stepexpand"><span>Verify defined EIM associations by using the <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> function`
			`to verify that the associations you have defined provide the mappings you`
			`expect.</span></li>`
			`<li class="stepexpand"><span>If your single signon configuration includes a multiple tier network,`
			`verify that ticket delegation is enabled for the server in the middle tier.`
			`This is required for the middle tier server to forward user credentials to`
			`the next server. You can enable ticket delegation on the Active Directory`
			`or Kerberos server. An example of a multiple tier network is a PC which authenticates`
			`with one server and then connects to another server.</span></li>`
			`</ol>`
			`<div class="section"><p>If you are still experiencing a problem with your single signon`
			`after reviewing the steps above, use the following table to determine possible`
			`solutions to the symptoms of your configuration problems:</p>`
			`<div class="p">`
			`<div class="tablenoborder"><a name="rzamztroubleshoot__troubletable"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzamztroubleshoot__troubletable" frame="border" border="1" rules="all"><thead align="left"><tr><th align="center" valign="top" width="34.715025906735754%" id="d0e109"><strong>Symptoms</strong></th>`
			`<th align="center" valign="top" width="65.28497409326425%" id="d0e112"><strong>Possible solutions</strong></th>`
			`</tr>`
			`</thead>`
			`<tbody><tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>Host name resolution`
			`problems</strong></p>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">You are unable to connect to <span class="keyword">i5/OS</span> systems`
			`within your single signon environment.</td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>This may be due to host resolution problems. Verify the PC and <span class="keyword">iSeries</span> resolves to the same host name. <a href="../rzakh/rzakhpdns.htm">Verify your host`
			`name resolution configurations</a>, including your DNS server.</li>`
			`<li>This may be due to NAS configuration problems. See the <a href="../rzakh/rzakhtrouble.htm">Troubleshoot network authentication`
			`service</a> information in the <span class="keyword">iSeries Information Center</span>.</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">The <samp class="codeph">NSLOOKUP</samp> utility fails to resolve`
			`a host name when given an IP address during an attempt to confirm that the`
			`host resolution is consistent between your <span class="keyword">iSeries</span> system`
			`and a client PC. </td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 ">The <samp class="codeph">NSLOOKUP</samp> utility uses the currently`
			`configured DNS to resolve IP addresses from host names, as well as host names`
			`from IP addresses. If a host name cannot be resolved from an IP address, the`
			`most likely cause is a missing PTR record in DNS. Have your DNS administrator`
			`add a PTR record for this IP address.</td>`
			`</tr>`
			`<tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>EIM configuration`
			`problems</strong></p>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">EIM mappings are not working as expected. In some instances,`
			`you are unable to sign into <span class="keyword">iSeries Navigator</span> when`
			`using Kerberos authentication.</td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 "> <ul><li>The domain controller is inactive. Activate the domain controller.</li>`
			`<li>The EIM configuration is incorrect on the system or systems that you are`
			`trying to use Kerberos authentication with or get mappings for. Verify your`
			`EIM configuration. Expand <span class="uicontrol">Network-->Enterprise Identity Mapping-->Configuration</span> on`
			`the system that you are trying to authenticate with. Right-click the <span class="uicontrol">Configuration</span> folder`
			`and select <span class="uicontrol">Properties</span> and verify the following:<ul><li><strong>Domain </strong> page:<ul><li>The domain controller name and port numbers are correct.</li>`
			`<li>Click <span class="uicontrol">Verify Configuration</span> to verify that the domain`
			`controller is active.</li>`
			`<li>The local registry name is specified correctly</li>`
			`<li>The Kerberos registry name is specified correctly.</li>`
			`<li>Verify that <span class="uicontrol">Enable EIM operations for this system</span> is`
			`selected.</li>`
			`</ul>`
			`</li>`
			`<li><strong>System user </strong> page:<ul><li>The specified user has sufficient EIM access control to perform a mapping`
			`lookup, and the password is valid for the user. See the online help to learn`
			`more about the different types of user credentials.<div class="note"><span class="notetitle">Note:</span> Whenever passwords`
			`are updated in the directory server, they must also be updated in the system`
			`configuration.</div>`
			`</li>`
			`<li>Click <span class="uicontrol">Verify Connection</span> to confirm that the user`
			`information specified is correct.</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</li>`
			`<li>The EIM domain configuration is incorrect:<div class="note"><span class="notetitle">Note:</span> You can <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> to`
			`help verify that the associations for your EIM domain are properly configured.</div>`
			`<ul><li>A target or source association for an EIM identifier is not set up correctly.`
			`For example, there is no source association for the Kerberos principal (or`
			`windows user) or it is incorrect. Or, the target association specifies an`
			`incorrect user identity. <a href="../rzalv/rzalvdsplyallidentassocs.htm">Display all identifier associations for an EIM identifier</a> to`
			`verify associations for a specific identifier.</li>`
			`<li>A policy association is not set up correctly. <a href="../rzalv/rzalvdsplyallpoliciesdomain.htm">Display all policy associations for a domain</a> to verify`
			`source and target information for all policy associations defined in the domain.</li>`
			`<li>Mapping lookups are returning more than one target identity, indicating`
			`that ambiguous mappings are configured. <a href="../rzalv/rzalvtestmappings.htm">Test EIM mappings</a> to identify which mappings are incorrect.</li>`
			`<li>The registry definition and user identities do not match because of case`
			`sensitivity. You can delete and re-create the registry, or delete and re-create`
			`the association with the proper case.</li>`
			`</ul>`
			`</li>`
			`<li>EIM support is not enabled.<ul><li>EIM has been disabled for the system. Verify that <span class="uicontrol">Enable EIM`
			`operations for this system</span> is selected on the <span class="uicontrol">Domain</span> page`
			`for the system EIM configuration properties (Expand <span class="uicontrol">Network-->Enterprise`
			`Identity Mapping-->Configuration folder-->Properties</span>.)</li>`
			`<li>Policy association support is not enabled at the domain level. You may`
			`need to <a href="../rzalv/rzalvenablepoliciesfordomain.htm">enable policy associations for a domain</a>.</li>`
			`<li>Mapping lookup support or policy association support is not enabled at`
			`the individual registry level. You may need to <a href="../rzalv/rzalvenablepoliciesforregistry.htm">enable mapping lookup support and the use of policy associations`
			`for the target registry</a>. </li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`<tr><td class="oddrowgrey" colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>Network`
			`authentication service configuration problems</strong></p>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">A <samp class="codeph">keytab entry</samp> is not found when you`
			`perform a <samp class="codeph">keytab list</samp>.</td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>This can be due to a host resolution problem on the <span class="keyword">iSeries</span> system.`
			`If you are using a host table, perform the <samp class="codeph">CFGTCP</samp> command,`
			`option 10 and verify that the primary host name is listed first for the IP`
			`address of the server.</li>`
			`<li><a href="../rzakh/rzakhpdns.htm">Verify`
			`your host name resolution configurations</a>, including your DNS server.</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">Users are unable to connect to systems. </td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 ">Users may be unable to connect to systems if the EIM`
			`registry definition for the Kerberos registry was inappropriately defined`
			`as case sensitive. Delete and re-create the Kerberos registry. <div class="note"><span class="notetitle">Note:</span> You will`
			`lose any associations that have been defined for that registry and will have`
			`to re-create them.</div>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives a message indicating an incorrect password`
			`when verifying the network authentication service configuration.</td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 ">The password for the service in the KDC does not match`
			`the password for the service in the keytab. Update the keytab entry by using`
			`the keytab add command, and update the password for the service on the KDC.</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives the following message: <samp class="codeph">Unable`
			`to obtain name of default credentials cache</samp>.</td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 ">Verify that a home directory<samp class="codeph"> (/home/<user`
			`profile>)</samp> exists for the user that is performing the <samp class="codeph">kinit</samp>. </td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">User receives the following message: <samp class="codeph">Response`
			`too large for datagram.</samp></td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 ">Update the network authentication service configuration`
			`to use TCP as the data communications protocol:<ol><li>Using <span class="keyword">iSeries Navigator</span>, select`
			`the system that issued the message.</li>`
			`<li><span class="uicontrol">Select Security-->Network Authentication Service properties</span>.</li>`
			`<li>On the <span class="uicontrol">General</span> page, select <span class="uicontrol">Use TCP</span> and`
			`click <span class="uicontrol">Ok</span>.</li>`
			`</ol>`
			`</td>`
			`</tr>`
			`<tr><td colspan="2" align="center" valign="top" headers="d0e109 d0e112 "><p><strong>General problems</strong></p>`
			`</td>`
			`</tr>`
			`<tr><td valign="top" width="34.715025906735754%" headers="d0e109 ">You receive error message <samp class="codeph">CWBSY10XX</samp> when`
			`attempting single signon. </td>`
			`<td valign="top" width="65.28497409326425%" headers="d0e112 "><ul><li>Use the help associated with the text to resolve the problem.</li>`
			`<li>Use the <span class="keyword">iSeries</span> Access`
			`detail trace feature to determine if the appropriate Kerberos ticket is retrieved.</li>`
			`<li>Download the Microsoft<sup>®</sup> kerbtray utility to verify that the user`
			`has Kerberos credentials.</li>`
			`<li>If <span class="keyword">iSeries Navigator</span> single signon`
			`is failing, check the <samp class="codeph">QZSOSIGN</samp> jobs in the <samp class="codeph">QUSRWRK</samp> subsystem.`
			`Search through the jobs for a <samp class="codeph">CPD3E3F</samp> message. If you find`
			`the <samp class="codeph">CPD3E3F</samp> message, use the recovery information provided`
			`within the message. The diagnostic message contains both major and minor status`
			`codes to indicate where the problem occurred. The most common errors are documented`
			`in the message along with the recovery.</li>`
			`<li>If PC5250 is failing, check the following:<ul><li>Check the <samp class="codeph">QTVDEVICE</samp> jobs for the <samp class="codeph">CPD3E3F</samp> message.</li>`
			`<li>Check the <samp class="codeph">QRMTSIGN</samp> system value and verify it is set`
			`to <samp class="codeph">VERIFY</samp> or <samp class="codeph">SAMEPRF</samp>.</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</td>`
			`</tr>`
			`</tbody>`
			`</table>`
			`</div>`
			`</div>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>`
			`</div>`
			`<div class="relinfo"><strong>Related information</strong><br />`
			`<div><a href="../rzakh/rzakhtrouble.htm">Troubleshoot network authentication service</a></div>`
			`<div><a href="http://www.dns.net/dnsrd/rfc/rfc1713.html">Tools for DNS debugging</a></div>`
			`<div><a href="../rzalv/rzalvtrblshoot.htm">Troubleshoot EIM.</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`