Troubleshoot

Use this information to resolve some common errors that you might experience while configuring and using a single signon environment.

There are several actions that you can take to circumvent problems with your i5/OS™ single signon configuration:

You can confirm that your network authentication service configuration is correct by performing the qshell kinit command. To do this, enter the qshell environment and issue the kinit -k <service name> command. This command uses the keytab entry that was created in the network authentication service wizard. This command verifies that the encrypted password for the service is the same password that is stored on the KDC. If this command does not complete successfully, revisit your network authentication service configuration.
Verify your host name resolution configurations, including your DNS server(s).
Verify the EIM system configuration information on each i5/OS system that performs mapping lookup operations.
1. Using iSeries™ Navigator, sign on to the system.
2. Select the system, and expand Network-->Enterprise Identity Mapping-->Configuration.
3. Right-click the Configuration folder and select Properties.
4. On the Domain page, verify the domain connection settings and click Verify Configuration. This verifies that the domain controller is active and that the settings for the domain controller are correct.
5. On the System User page, click Verify Connection to verify that the system user is specified correctly.
Verify defined EIM associations by using the Test EIM mappings function to verify that the associations you have defined provide the mappings you expect.
If your single signon configuration includes a multiple tier network, verify that ticket delegation is enabled for the server in the middle tier. This is required for the middle tier server to forward user credentials to the next server. You can enable ticket delegation on the Active Directory or Kerberos server. An example of a multiple tier network is a PC which authenticates with one server and then connects to another server.

If you are still experiencing a problem with your single signon after reviewing the steps above, use the following table to determine possible solutions to the symptoms of your configuration problems:

Symptoms	Possible solutions
Host name resolution problems
You are unable to connect to i5/OS systems within your single signon environment.	This may be due to host resolution problems. Verify the PC and iSeries resolves to the same host name. Verify your host name resolution configurations, including your DNS server. This may be due to NAS configuration problems. See the Troubleshoot network authentication service information in the iSeries Information Center.
The `NSLOOKUP` utility fails to resolve a host name when given an IP address during an attempt to confirm that the host resolution is consistent between your iSeries system and a client PC.	The `NSLOOKUP` utility uses the currently configured DNS to resolve IP addresses from host names, as well as host names from IP addresses. If a host name cannot be resolved from an IP address, the most likely cause is a missing PTR record in DNS. Have your DNS administrator add a PTR record for this IP address.
EIM configuration problems
EIM mappings are not working as expected. In some instances, you are unable to sign into iSeries Navigator when using Kerberos authentication.	The domain controller is inactive. Activate the domain controller. The EIM configuration is incorrect on the system or systems that you are trying to use Kerberos authentication with or get mappings for. Verify your EIM configuration. Expand Network-->Enterprise Identity Mapping-->Configuration on the system that you are trying to authenticate with. Right-click the Configuration folder and select Properties and verify the following: Domain page: The domain controller name and port numbers are correct. Click Verify Configuration to verify that the domain controller is active. The local registry name is specified correctly The Kerberos registry name is specified correctly. Verify that Enable EIM operations for this system is selected. System user page: The specified user has sufficient EIM access control to perform a mapping lookup, and the password is valid for the user. See the online help to learn more about the different types of user credentials. Note: Whenever passwords are updated in the directory server, they must also be updated in the system configuration. Click Verify Connection to confirm that the user information specified is correct. The EIM domain configuration is incorrect: Note: You can Test EIM mappings to help verify that the associations for your EIM domain are properly configured. A target or source association for an EIM identifier is not set up correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier. A policy association is not set up correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain. Mapping lookups are returning more than one target identity, indicating that ambiguous mappings are configured. Test EIM mappings to identify which mappings are incorrect. The registry definition and user identities do not match because of case sensitivity. You can delete and re-create the registry, or delete and re-create the association with the proper case. EIM support is not enabled. EIM has been disabled for the system. Verify that Enable EIM operations for this system is selected on the Domain page for the system EIM configuration properties (Expand Network-->Enterprise Identity Mapping-->Configuration folder-->Properties.) Policy association support is not enabled at the domain level. You may need to enable policy associations for a domain. Mapping lookup support or policy association support is not enabled at the individual registry level. You may need to enable mapping lookup support and the use of policy associations for the target registry.
Network authentication service configuration problems
A `keytab entry` is not found when you perform a `keytab list`.	This can be due to a host resolution problem on the iSeries system. If you are using a host table, perform the `CFGTCP` command, option 10 and verify that the primary host name is listed first for the IP address of the server. Verify your host name resolution configurations, including your DNS server.
Users are unable to connect to systems.	Users may be unable to connect to systems if the EIM registry definition for the Kerberos registry was inappropriately defined as case sensitive. Delete and re-create the Kerberos registry. Note: You will lose any associations that have been defined for that registry and will have to re-create them.
User receives a message indicating an incorrect password when verifying the network authentication service configuration.	The password for the service in the KDC does not match the password for the service in the keytab. Update the keytab entry by using the keytab add command, and update the password for the service on the KDC.
User receives the following message: `Unable to obtain name of default credentials cache`.	Verify that a home directory`(/home/<user profile>)` exists for the user that is performing the `kinit`.
User receives the following message: `Response too large for datagram.`	Update the network authentication service configuration to use TCP as the data communications protocol: Using iSeries Navigator, select the system that issued the message. Select Security-->Network Authentication Service properties. On the General page, select Use TCP and click Ok.
General problems
You receive error message `CWBSY10XX` when attempting single signon.	Use the help associated with the text to resolve the problem. Use the iSeries Access detail trace feature to determine if the appropriate Kerberos ticket is retrieved. Download the Microsoft^® kerbtray utility to verify that the user has Kerberos credentials. If iSeries Navigator single signon is failing, check the `QZSOSIGN` jobs in the `QUSRWRK` subsystem. Search through the jobs for a `CPD3E3F` message. If you find the `CPD3E3F` message, use the recovery information provided within the message. The diagnostic message contains both major and minor status codes to indicate where the problem occurred. The most common errors are documented in the message along with the recovery. If PC5250 is failing, check the following: Check the `QTVDEVICE` jobs for the `CPD3E3F` message. Check the `QRMTSIGN` system value and verify it is set to `VERIFY` or `SAMEPRF`.