346 lines
24 KiB
HTML
346 lines
24 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="reference" />
|
||
|
<meta name="DC.Title" content="Application connection problems and recovery" />
|
||
|
<meta name="abstract" content="You may encounter these messages when applications use network authentication service." />
|
||
|
<meta name="description" content="You may encounter these messages when applications use network authentication service." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhtrouble.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakhapperr" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Application connection problems and recovery</title>
|
||
|
</head>
|
||
|
<body id="rzakhapperr"><a name="rzakhapperr"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Application connection problems and recovery</h1>
|
||
|
<div><p>You may encounter these messages when applications use network
|
||
|
authentication service.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="rows"><caption>Table 1. Common
|
||
|
errors in Kerberos-enabled i5/OS™ interfaces</caption><thead align="left"><tr><th valign="top" width="50%" class="firstcol" id="d0e23">Problem</th>
|
||
|
<th valign="top" width="50%" id="d0e25">Recovery</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><th valign="top" width="50%" class="firstcol" id="d0e29" headers="d0e23 ">You receive this error: Unable to obtain name of default
|
||
|
credentials cache.</th>
|
||
|
<td valign="top" width="50%" headers="d0e29 d0e25 ">Determine if the user signed on to the iSeries™ has
|
||
|
a directory in the /home directory. If the directory for the user does not
|
||
|
exist, <a href="rzakhhome.htm#rzakhhome">create a home directory</a> for
|
||
|
the credentials cache.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e40" headers="d0e23 ">CPD3E3F Network Authentication Service error &2 occurred.</th>
|
||
|
<td valign="top" width="50%" headers="d0e40 d0e25 ">See the specific recovery information that corresponds
|
||
|
with this message.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e45" headers="d0e23 ">DRDA/DDM connection fails on an iSeries system that previously connected.</th>
|
||
|
<td valign="top" width="50%" headers="d0e45 d0e25 ">Check to see if the default realm specified during network
|
||
|
authentication service configuration exists. If a default realm and Kerberos
|
||
|
server have not been configured, the network authentication service configuration
|
||
|
is incorrect and DRDA/DDM connections will fail. To recover from this error,
|
||
|
you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
|
||
|
realm specified in the network authentication service configuration.</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
|
||
|
service specifying the default realm and Kerberos server that you created
|
||
|
in Step 1.</li>
|
||
|
<li>Configure iSeries Access
|
||
|
for Windows<sup>®</sup> applications
|
||
|
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
|
||
|
for Windows applications,
|
||
|
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e85" headers="d0e23 ">QFileSvr.400 connection fails on an iSeries system
|
||
|
that previously connected.</th>
|
||
|
<td valign="top" width="50%" headers="d0e85 d0e25 ">Check to see if the default realm specified during network
|
||
|
authentication service configuration exists. If a default realm and Kerberos
|
||
|
server have not been configured, the network authentication service configuration
|
||
|
is incorrect and QFileSvr.400 connections will fail. To recover from this
|
||
|
error, you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
|
||
|
realm specified in the network authentication service configuration.</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li>Configure a default realm and Kerberos server on a secure system on the
|
||
|
network. See the documentation that corresponds with that system. </li>
|
||
|
<li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
|
||
|
service specifying the default realm and Kerberos server that you create in
|
||
|
Step 1.</li>
|
||
|
<li>Configure iSeries Access
|
||
|
for Windows applications
|
||
|
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
|
||
|
for Windows applications,
|
||
|
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th colspan="2" valign="top" class="firstcol" id="d0e127" headers="d0e23 d0e25 "> </th>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e129" headers="d0e23 ">CWBSY1011 Kerberos client credentials not found.</th>
|
||
|
<td valign="top" width="50%" headers="d0e129 d0e25 ">The user does not have a ticket granting ticket (TGT).
|
||
|
This connection error occurs on the client PC when a user does not log into
|
||
|
a Windows 2000
|
||
|
domain. To recover from this error log into the Windows 2000 domain.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e140" headers="d0e23 ">Error occurred while verifying connection settings. URL
|
||
|
does not have host. <strong>Note:</strong> This error occurs when you are using Enterprise
|
||
|
Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e140 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">General</span> page, validate that the administrator's
|
||
|
distinguished name and password match those you entered during EIM configuration.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e179" headers="d0e23 ">Error occurred while changing local directory server configuration.
|
||
|
GLD0232: Configuration cannot contain overlapping suffixes. <strong>Note:</strong> This
|
||
|
error occurs when you are using Enterprise Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e179 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
|
||
|
and reconfigure EIM.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e221" headers="d0e23 ">Error occurred while verifying connection settings. Exception
|
||
|
occurred calling an iSeries program. The called program is eimConnect.
|
||
|
Details are: com.ibm.as400.data.PcmlException. <strong>Note:</strong> This error occurs
|
||
|
when you are using Enterprise Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e221 d0e25 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
|
||
|
and reconfigure EIM.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e266" headers="d0e23 ">Kerberos ticket from remote system cannot be authenticated. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e266 d0e25 ">Verify that Kerberos in configured properly on all your
|
||
|
systems. This error may indicate a security violation. Try the request again,
|
||
|
if the problem persists contact service.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e273" headers="d0e23 ">Cannot retrieve Kerberos service ticket. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e273 d0e25 ">Verify that the Kerberos principal krbsvr400/iSeries
|
||
|
fully qualified host name@REALM is in the Kerberos server as well as the keytab
|
||
|
file for each of your systems. To verify if Kerberos principal is entered
|
||
|
in the Kerberos server, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
|
||
|
To verify if the Kerberos service principal names is entered in the keytab
|
||
|
file. See <a href="rzakhkkeytab.htm#rzakhkkeytab">Manage keytab files</a> for details.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e286" headers="d0e23 ">Kerberos principal is not in trusted group. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e286 d0e25 ">Add the Kerberos principal for the system that is trying
|
||
|
to connect to this system to your trusted group file. To recover from this
|
||
|
error, complete the following:<ol><li><a href="rzakhkerberosscenario_setcentralsystem.htm#rzakhkerberosscenario_setcentralsystem">Set</a> the
|
||
|
central system to use Kerberos authentication.</li>
|
||
|
<li><a href="rzakhkerberosscenario_collectsystemvalues.htm#rzakhkerberosscenario_collectsystemvalues">Collect</a> system
|
||
|
values inventory.</li>
|
||
|
<li><a href="rzakhkerberosscenario_compareandupdatekerberos.htm#rzakhkerberosscenario_compareandupdatekerberos">Compare</a> and
|
||
|
update.</li>
|
||
|
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
|
||
|
Central servers on the central system and the target systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_addkerberosserviceprincipal.htm#rzakhkerberosscenario_addkerberosserviceprincipal">Add</a> Kerberos
|
||
|
service principal to the trusted group file for all endpoint systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_allowtrustedconnections.htm">Allow</a> trusted
|
||
|
connections.</li>
|
||
|
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
|
||
|
Central servers on the central system and the target systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_testauthenticationon.htm#rzakhkerberosscenario_testauthenticationon">Test</a> authentication
|
||
|
on Management Central servers.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="rows"><caption>Table 2. Common
|
||
|
errors in Kerberos-enabled i5/OS interfaces</caption><thead align="left"><tr><th valign="top" width="50%" class="firstcol" id="d0e336">Problem</th>
|
||
|
<th valign="top" width="50%" id="d0e338">Recovery</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><th valign="top" width="50%" class="firstcol" id="d0e342" headers="d0e336 ">You receive this error: Unable to obtain name of default
|
||
|
credentials cache.</th>
|
||
|
<td valign="top" width="50%" headers="d0e342 d0e338 ">Determine if the user signed on to the iSeries has
|
||
|
a directory in the /home directory. If the directory for the user does not
|
||
|
exist, <a href="rzakhhome.htm#rzakhhome">create a home directory</a> for
|
||
|
the credentials cache.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e353" headers="d0e336 ">CPD3E3F Network Authentication Service error &2 occurred.</th>
|
||
|
<td valign="top" width="50%" headers="d0e353 d0e338 ">See the specific recovery information that corresponds
|
||
|
with this message.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e358" headers="d0e336 ">DRDA/DDM connection fails on an iSeries system that previously connected.</th>
|
||
|
<td valign="top" width="50%" headers="d0e358 d0e338 ">Check to see if the default realm specified during network
|
||
|
authentication service configuration exists. If a default realm and Kerberos
|
||
|
server have not been configured, the network authentication service configuration
|
||
|
is incorrect and DRDA/DDM connections will fail. To recover from this error,
|
||
|
you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
|
||
|
realm specified in the network authentication service configuration.</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
|
||
|
service specifying the default realm and Kerberos server that you created
|
||
|
in Step 1.</li>
|
||
|
<li>Configure iSeries Access
|
||
|
for Windows applications
|
||
|
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
|
||
|
for Windows applications,
|
||
|
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e398" headers="d0e336 ">QFileSvr.400 connection fails on an iSeries system
|
||
|
that previously connected.</th>
|
||
|
<td valign="top" width="50%" headers="d0e398 d0e338 ">Check to see if the default realm specified during network
|
||
|
authentication service configuration exists. If a default realm and Kerberos
|
||
|
server have not been configured, the network authentication service configuration
|
||
|
is incorrect and QFileSvr.400 connections will fail. To recover from this
|
||
|
error, you can do one of the following tasks: <ol><li>If you are not using Kerberos authentication, then complete the following: <ol type="a"><li><a href="rzakhrrealms.htm#rzakhrrealms">Delete</a> the default
|
||
|
realm specified in the network authentication service configuration.</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li>If you are using Kerberos authentication, complete these steps: <ol type="a"><li>Configure a default realm and Kerberos server on a secure system on the
|
||
|
network. See the documentation that corresponds with that system. </li>
|
||
|
<li><a href="rzakhconfig.htm#rzakhconfig">Reconfigure</a> network authentication
|
||
|
service specifying the default realm and Kerberos server that you create in
|
||
|
Step 1.</li>
|
||
|
<li>Configure iSeries Access
|
||
|
for Windows applications
|
||
|
to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access
|
||
|
for Windows applications,
|
||
|
including DRDA/DDM. (See <a href="rzakhscen2.htm#rzakhscen2">Scenario: Enable single signon for i5/OS</a>.)</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th colspan="2" valign="top" class="firstcol" id="d0e440" headers="d0e336 d0e338 "> </th>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e442" headers="d0e336 ">CWBSY1011 Kerberos client credentials not found.</th>
|
||
|
<td valign="top" width="50%" headers="d0e442 d0e338 ">The user does not have a ticket granting ticket (TGT).
|
||
|
This connection error occurs on the client PC when a user does not log into
|
||
|
a Windows 2000
|
||
|
domain. To recover from this error log into the Windows 2000 domain.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e453" headers="d0e336 ">Error occurred while verifying connection settings. URL
|
||
|
does not have host. <strong>Note:</strong> This error occurs when you are using Enterprise
|
||
|
Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e453 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">General</span> page, validate that the administrator's
|
||
|
distinguished name and password match those you entered during EIM configuration.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e492" headers="d0e336 ">Error occurred while changing local directory server configuration.
|
||
|
GLD0232: Configuration cannot contain overlapping suffixes. <strong>Note:</strong> This
|
||
|
error occurs when you are using Enterprise Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e492 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol">ibm-eimDomainName</span> entries
|
||
|
and reconfigure EIM.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e534" headers="d0e336 ">Error occurred while verifying connection settings. Exception
|
||
|
occurred calling an iSeries program. The called program is eimConnect.
|
||
|
Details are: com.ibm.as400.data.PcmlException. <strong>Note:</strong> This error occurs
|
||
|
when you are using Enterprise Identity Mapping (EIM).</th>
|
||
|
<td valign="top" width="50%" headers="d0e534 d0e338 ">To recover from this error, complete the following: <ol><li>In iSeries Navigator,
|
||
|
expand <span class="uicontrol">your server</span><span class="menucascade"><span class="uicontrol">Network</span></span><span class="menucascade"><span class="uicontrol">Servers</span></span><span class="menucascade"><span class="uicontrol">TCP/IP</span></span>.</li>
|
||
|
<li>Right-click <span class="uicontrol">Directory</span> and select <span class="uicontrol">Properties</span>.</li>
|
||
|
<li>On the <span class="uicontrol">Database/Suffixes</span> page, remove any <span class="uicontrol"><var class="varname">ibm-eim</var>DomainName</span> entries
|
||
|
and reconfigure EIM.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e581" headers="d0e336 ">Kerberos ticket from remote system cannot be authenticated. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e581 d0e338 ">Verify that Kerberos in configured properly on all your
|
||
|
systems. This error may indicate a security violation. Try the request again,
|
||
|
if the problem persists contact service.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e588" headers="d0e336 ">Cannot retrieve Kerberos service ticket. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e588 d0e338 ">Verify that the Kerberos principal krbsvr400/iSeries
|
||
|
fully qualified host name@REALM is in the Kerberos server as well as the keytab
|
||
|
file for each of your systems. To verify if Kerberos principal
|
||
|
is entered in the Kerberos server, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
|
||
|
To verify if the Kerberos service principal names is entered in the keytab
|
||
|
file. See <a href="rzakhkkeytab.htm#rzakhkkeytab">Manage keytab files</a> for details.</td>
|
||
|
</tr>
|
||
|
<tr><th valign="top" width="50%" class="firstcol" id="d0e601" headers="d0e336 ">Kerberos principal is not in trusted group. <div class="note"><span class="notetitle">Note:</span> This
|
||
|
error occurs when you are configuring Management Central systems to use Kerberos
|
||
|
authentication. </div>
|
||
|
</th>
|
||
|
<td valign="top" width="50%" headers="d0e601 d0e338 ">Add the Kerberos principal for the system that is trying
|
||
|
to connect to this system to your trusted group file. To recover from this
|
||
|
error, complete the following:<ol><li><a href="rzakhkerberosscenario_setcentralsystem.htm#rzakhkerberosscenario_setcentralsystem">Set</a> the
|
||
|
central system to use Kerberos authentication.</li>
|
||
|
<li><a href="rzakhkerberosscenario_collectsystemvalues.htm#rzakhkerberosscenario_collectsystemvalues">Collect</a> system
|
||
|
values inventory.</li>
|
||
|
<li><a href="rzakhkerberosscenario_compareandupdatekerberos.htm#rzakhkerberosscenario_compareandupdatekerberos">Compare</a> and
|
||
|
update.</li>
|
||
|
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
|
||
|
Central servers on the central system and the target systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_addkerberosserviceprincipal.htm#rzakhkerberosscenario_addkerberosserviceprincipal">Add</a> Kerberos
|
||
|
service principal to the trusted group file for all endpoint systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_allowtrustedconnections.htm">Allow</a> trusted
|
||
|
connections.</li>
|
||
|
<li><a href="rzakhkerberosscenario_restartmanagementcentral.htm#rzakhkerberosscenario_restartmanagementcentral">Restart</a> Management
|
||
|
Central servers on the central system and the target systems.</li>
|
||
|
<li><a href="rzakhkerberosscenario_testauthenticationon.htm#rzakhkerberosscenario_testauthenticationon">Test</a> authentication
|
||
|
on Management Central servers.</li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhtrouble.htm" title="This section provides links to troubleshooting information about common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.">Troubleshoot</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|