Troubleshooting general EIM configuration and domain problems

 

There are a number of general problems that you may encounter as you configure EIM for your system, as well as problems that you may encounter as you access an EIM domain. Review the following table to learn more about some common problems and potential solutions that you can use to resolve these problems.

Table 1. Common EIM configuration and domain problems and solutions
Possible problem Possible solutions
EIM Configuration wizard appears to hang during Finish processing. Tthe wizard may be waiting for the domain controller to start. Verify that no errors occurred during the startup of the directory server. For System i™ models, check the job log for the QDIRSRV job in the QSYSWRK subsystem. To check the job log, follow these steps:

  1. In iSeries™ Navigator, expand Work Management > Subsystems > Qsyswrk.

  2. Right-click Qdirsrv and select Job Log.
While using the EIM Configuration wizard to create a domain on a remote system, you received the following error message: "The parent distinguished name (DN) you entered is not valid. The DN must exist on the remote directory server. Specify or select a new or existing parent DN.' The parent DN specified for the remote domain does not exist. See Creating and joining a new remote domain to learn more about how to use the EIM Configuration wizard. Also, see the online help for detailed information about specifying a parent DN when creating a domain.
You receive a message indicating that the EIM domain does not exist. If you have not created an EIM domain, use the EIM Configuration wizard. This wizard creates an EIM domain for you, or enables you to configure an existing EIM domain. If you have created an EIM domain, ensure that the specified user is a member of an EIM access control group with sufficient authority to access it.
You receive a message indicating that an EIM object (identifier, registry, association, policy association, or certificate filter) is not found, or that you are not authorized to EIM data. Verify that the EIM object exists and whether the specified user is a member of an EIM access control group with sufficient authority to that object.
When you expand the Identifiers folder, it takes a long time before the list of identifiers displays. This may happen if there are a large number of EIM identifiers in the domain. To resolve this, you can customize the Identifiers folder view by restricting the search criteria used for displaying identifiers. To customize the view for EIM identifiers, follow these steps:

  1. In iSeries Navigator, expand Network > Enterprise Identity Mapping > Domain Management.

  2. Expand the domain in which you want to display the EIM identifiers.

  3. Right-click Identifiers and select Customize this view > Include....

  4. Specify the display criteria to use for generating the list of EIM identifiers to include in the view.

    You can use the asterisk (*) as a wildcard character.

  5. Click OK.
The next time you click Identifiers, only those EIM identifiers that match the criteria that you specified display.
While managing EIM through iSeries Navigator, you receive an error indicating that the EIM handle is no longer valid. The connection to the domain controller has been lost. To reconnect to the domain controller, follow these steps:

  1. In iSeries Navigator, expand Network > Enterprise Identity Mapping > Domain Management.

  2. Right-click the domain that you want to work with and select Reconnect....

  3. Specify the connection information.

  4. Click OK.
When using the Kerberos protocol for authentication with EIM, diagnostic message CPD3E3F is written to the job log. This message is generated whenever authentication or identity mapping operations fail. The diagnostic message contains both major and minor status codes to indicate where the problem occurred. The most common errors are documented in the message along with the recovery. Refer to the help information associated with the diagnostic message to begin troubleshooting the problem. You may also find it helpful to review Troubleshoot single signon configuration.

 

Parent topic:

Troubleshooting Enterprise Identity Mapping