Application connection problems and recovery

You may encounter these messages when applications use network authentication service.

Table 1. Common errors in Kerberos-enabled i5/OS™ interfaces
Problem Recovery
You receive this error: Unable to obtain name of default credentials cache. Determine if the user signed on to the iSeries™ has a directory in the /home directory. If the directory for the user does not exist, create a home directory for the credentials cache.
CPD3E3F Network Authentication Service error &2 occurred. See the specific recovery information that corresponds with this message.
DRDA/DDM connection fails on an iSeries system that previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and DRDA/DDM connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, then complete the following:
    1. Delete the default realm specified in the network authentication service configuration.
  2. If you are using Kerberos authentication, complete these steps:
    1. Reconfigure network authentication service specifying the default realm and Kerberos server that you created in Step 1.
    2. Configure iSeries Access for Windows® applications to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access for Windows applications, including DRDA/DDM. (See Scenario: Enable single signon for i5/OS.)
QFileSvr.400 connection fails on an iSeries system that previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and QFileSvr.400 connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, then complete the following:
    1. Delete the default realm specified in the network authentication service configuration.
  2. If you are using Kerberos authentication, complete these steps:
    1. Configure a default realm and Kerberos server on a secure system on the network. See the documentation that corresponds with that system.
    2. Reconfigure network authentication service specifying the default realm and Kerberos server that you create in Step 1.
    3. Configure iSeries Access for Windows applications to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access for Windows applications, including DRDA/DDM. (See Scenario: Enable single signon for i5/OS.)
 
CWBSY1011 Kerberos client credentials not found. The user does not have a ticket granting ticket (TGT). This connection error occurs on the client PC when a user does not log into a Windows 2000 domain. To recover from this error log into the Windows 2000 domain.
Error occurred while verifying connection settings. URL does not have host. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the General page, validate that the administrator's distinguished name and password match those you entered during EIM configuration.
Error occurred while changing local directory server configuration. GLD0232: Configuration cannot contain overlapping suffixes. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
Error occurred while verifying connection settings. Exception occurred calling an iSeries program. The called program is eimConnect. Details are: com.ibm.as400.data.PcmlException. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
Kerberos ticket from remote system cannot be authenticated.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that Kerberos in configured properly on all your systems. This error may indicate a security violation. Try the request again, if the problem persists contact service.
Cannot retrieve Kerberos service ticket.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that the Kerberos principal krbsvr400/iSeries fully qualified host name@REALM is in the Kerberos server as well as the keytab file for each of your systems. To verify if Kerberos principal is entered in the Kerberos server, see Add i5/OS principals to the Kerberos server. To verify if the Kerberos service principal names is entered in the keytab file. See Manage keytab files for details.
Kerberos principal is not in trusted group.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Add the Kerberos principal for the system that is trying to connect to this system to your trusted group file. To recover from this error, complete the following:
  1. Set the central system to use Kerberos authentication.
  2. Collect system values inventory.
  3. Compare and update.
  4. Restart Management Central servers on the central system and the target systems.
  5. Add Kerberos service principal to the trusted group file for all endpoint systems.
  6. Allow trusted connections.
  7. Restart Management Central servers on the central system and the target systems.
  8. Test authentication on Management Central servers.
Table 2. Common errors in Kerberos-enabled i5/OS interfaces
Problem Recovery
You receive this error: Unable to obtain name of default credentials cache. Determine if the user signed on to the iSeries has a directory in the /home directory. If the directory for the user does not exist, create a home directory for the credentials cache.
CPD3E3F Network Authentication Service error &2 occurred. See the specific recovery information that corresponds with this message.
DRDA/DDM connection fails on an iSeries system that previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and DRDA/DDM connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, then complete the following:
    1. Delete the default realm specified in the network authentication service configuration.
  2. If you are using Kerberos authentication, complete these steps:
    1. Reconfigure network authentication service specifying the default realm and Kerberos server that you created in Step 1.
    2. Configure iSeries Access for Windows applications to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access for Windows applications, including DRDA/DDM. (See Scenario: Enable single signon for i5/OS.)
QFileSvr.400 connection fails on an iSeries system that previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and QFileSvr.400 connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, then complete the following:
    1. Delete the default realm specified in the network authentication service configuration.
  2. If you are using Kerberos authentication, complete these steps:
    1. Configure a default realm and Kerberos server on a secure system on the network. See the documentation that corresponds with that system.
    2. Reconfigure network authentication service specifying the default realm and Kerberos server that you create in Step 1.
    3. Configure iSeries Access for Windows applications to use Kerberos authentication. This will set Kerberos authentication on all iSeries Access for Windows applications, including DRDA/DDM. (See Scenario: Enable single signon for i5/OS.)
 
CWBSY1011 Kerberos client credentials not found. The user does not have a ticket granting ticket (TGT). This connection error occurs on the client PC when a user does not log into a Windows 2000 domain. To recover from this error log into the Windows 2000 domain.
Error occurred while verifying connection settings. URL does not have host. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the General page, validate that the administrator's distinguished name and password match those you entered during EIM configuration.
Error occurred while changing local directory server configuration. GLD0232: Configuration cannot contain overlapping suffixes. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
Error occurred while verifying connection settings. Exception occurred calling an iSeries program. The called program is eimConnect. Details are: com.ibm.as400.data.PcmlException. Note: This error occurs when you are using Enterprise Identity Mapping (EIM). To recover from this error, complete the following:
  1. In iSeries Navigator, expand your serverNetworkServersTCP/IP.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
Kerberos ticket from remote system cannot be authenticated.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that Kerberos in configured properly on all your systems. This error may indicate a security violation. Try the request again, if the problem persists contact service.
Cannot retrieve Kerberos service ticket.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that the Kerberos principal krbsvr400/iSeries fully qualified host name@REALM is in the Kerberos server as well as the keytab file for each of your systems. To verify if Kerberos principal is entered in the Kerberos server, see Add i5/OS principals to the Kerberos server. To verify if the Kerberos service principal names is entered in the keytab file. See Manage keytab files for details.
Kerberos principal is not in trusted group.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Add the Kerberos principal for the system that is trying to connect to this system to your trusted group file. To recover from this error, complete the following:
  1. Set the central system to use Kerberos authentication.
  2. Collect system values inventory.
  3. Compare and update.
  4. Restart Management Central servers on the central system and the target systems.
  5. Add Kerberos service principal to the trusted group file for all endpoint systems.
  6. Allow trusted connections.
  7. Restart Management Central servers on the central system and the target systems.
  8. Test authentication on Management Central servers.
Parent topic: Troubleshoot