Troubleshooting Single signon

 

Use this information to resolve some common errors that you might experience while configuring and using a single signon environment. There are several actions that you can take to circumvent problems with your i5/OS® single signon configuration:

  1. You can confirm that your network authentication service configuration is correct by performing the qshell kinit command. To do this, enter the qshell environment and issue the kinit -k <service name> command. This command uses the keytab entry that was created in the network authentication service wizard. This command verifies that the encrypted password for the service is the same password that is stored on the KDC. If this command does not complete successfully, revisit your network authentication service configuration.

  2. Verify your host name resolution configurations, including your DNS server(s).

  3. Verify the EIM system configuration information on each i5/OS system that performs mapping lookup operations.

    1. Using iSeries™ Navigator, sign on to the system.

    2. Select the system, and expand Network-->Enterprise Identity Mapping-->Configuration.

    3. Right-click the Configuration folder and select Properties.

    4. On the Domain page, verify the domain connection settings and click Verify Configuration. This verifies that the domain controller is active and that the settings for the domain controller are correct.

    5. On the System User page, click Verify Connection to verify that the system user is specified correctly.

  4. Verify defined EIM associations by using the Test EIM mappings function to verify that the associations you have defined provide the mappings you expect.

  5. If your single signon configuration includes a multiple tier network, verify that ticket delegation is enabled for the server in the middle tier. This is required for the middle tier server to forward user credentials to the next server. You can enable ticket delegation on the Active Directory or Kerberos server. An example of a multiple tier network is a PC which authenticates with one server and then connects to another server.

If you are still experiencing a problem with your single signon after reviewing the steps above, use the following table to determine possible solutions to the symptoms of your configuration problems:

Symptoms Possible solutions

Host name resolution problems

You are unable to connect to i5/OS systems within your single signon environment.

The NSLOOKUP utility fails to resolve a host name when given an IP address during an attempt to confirm that the host resolution is consistent between your iSeries system and a client PC. The NSLOOKUP utility uses the currently configured DNS to resolve IP addresses from host names, as well as host names from IP addresses. If a host name cannot be resolved from an IP address, the most likely cause is a missing PTR record in DNS. Have your DNS administrator add a PTR record for this IP address.

EIM configuration problems

EIM mappings are not working as expected. In some instances, you are unable to sign into iSeries Navigator when using Kerberos authentication.

  • The domain controller is inactive. Activate the domain controller.

  • The EIM configuration is incorrect on the system or systems that you are trying to use Kerberos authentication with or get mappings for. Verify your EIM configuration. Expand Network-->Enterprise Identity Mapping-->Configuration on the system that you are trying to authenticate with. Right-click the Configuration folder and select Properties and verify the following:

    • Domain page:

      • The domain controller name and port numbers are correct.

      • Click Verify Configuration to verify that the domain controller is active.

      • The local registry name is specified correctly

      • The Kerberos registry name is specified correctly.

      • Verify that Enable EIM operations for this system is selected.

    • System user page:

      • The specified user has sufficient EIM access control to perform a mapping lookup, and the password is valid for the user. See the online help to learn more about the different types of user credentials.

        Whenever passwords are updated in the directory server, they must also be updated in the system configuration.

      • Click Verify Connection to confirm that the user information specified is correct.

  • The EIM domain configuration is incorrect:

    You can Test EIM mappings to help verify that the associations for your EIM domain are properly configured.

    • A target or source association for an EIM identifier is not set up correctly. For example, there is no source association for the Kerberos principal (or windows user) or it is incorrect. Or, the target association specifies an incorrect user identity. Display all identifier associations for an EIM identifier to verify associations for a specific identifier.

    • A policy association is not set up correctly. Display all policy associations for a domain to verify source and target information for all policy associations defined in the domain.

    • Mapping lookups are returning more than one target identity, indicating that ambiguous mappings are configured. Test EIM mappings to identify which mappings are incorrect.

    • The registry definition and user identities do not match because of case sensitivity. You can delete and re-create the registry, or delete and re-create the association with the proper case.

  • EIM support is not enabled.

Network authentication service configuration problems

A keytab entry is not found when you perform a keytab list.

  • This can be due to a host resolution problem on the iSeries system. If you are using a host table, perform the CFGTCP command, option 10 and verify that the primary host name is listed first for the IP address of the server.

  • Verify your host name resolution configurations, including your DNS server.
Users are unable to connect to systems. Users may be unable to connect to systems if the EIM registry definition for the Kerberos registry was inappropriately defined as case sensitive. Delete and re-create the Kerberos registry.

You will lose any associations that have been defined for that registry and will have to re-create them.

User receives a message indicating an incorrect password when verifying the network authentication service configuration. The password for the service in the KDC does not match the password for the service in the keytab. Update the keytab entry by using the keytab add command, and update the password for the service on the KDC.
User receives the following message: Unable to obtain name of default credentials cache. Verify that a home directory (/home/<user profile>) exists for the user that is performing the kinit.
User receives the following message: Response too large for datagram. Update the network authentication service configuration to use TCP as the data communications protocol:

  1. Using iSeries Navigator, select the system that issued the message.

  2. Select Security-->Network Authentication Service properties.

  3. On the General page, select Use TCP and click Ok.

General problems

You receive error message CWBSY10XX when attempting single signon.

  • Use the help associated with the text to resolve the problem.

  • Use the System Access detail trace feature to determine if the appropriate Kerberos ticket is retrieved.

  • Download the Microsoft® kerbtray utility to verify that the user has Kerberos credentials.

  • If iSeries Navigator single signon is failing, check the QZSOSIGN jobs in the QUSRWRK subsystem. Search through the jobs for a CPD3E3F message. If you find the CPD3E3F message, use the recovery information provided within the message. The diagnostic message contains both major and minor status codes to indicate where the problem occurred. The most common errors are documented in the message along with the recovery.

  • If PC5250 is failing, check the following:

    • Check the QTVDEVICE jobs for the CPD3E3F message.

    • Check the QRMTSIGN system value and verify it is set to *VERIFY or *SAMEPRF.

 

Parent topic:

Single signon
Related information
Tools for DNS debugging Troubleshoot EIM.