No match to principal in key table
The server did not start, and the log file contains the following error:HPDST0130E The security service function gss_import_name returned the error 'No principal in keytab matches desired name' (code 0x1cff2901/486484225)
The principal name for the SPNEGO service that is defined in the ISAM server configuration file does not have a matching key in the SPNEGO key table. This error can occur for various reasons. The algorithm to map the service principal name to the key in the SPNEGO key table completes the following processes:
- Completes forward and reverse name resolution for the host name that is defined in the spnego-krb-service-name entry of the [spnego] stanza to discover the canonical host name.
- Compares canonical host name to the realms defined in the [domain_realm] stanza of the krb5.conf configuration file.
- Validates the principal key in the SPNEGO key table.
For details about these processes, see Algorithm to resolve host names. The server configuration file for WebSEAL contains the [spnego] stanza. This stanza contains the following entries to examine:
- spnego-krb-service-name
- Service principal name in the following format:
HTTP@hostnameThe following example shows a definition of this entry in the configuration file:
HTTP@diamond.subnet2.ibm.com
spnego-krb-keytab-file Define the SPNEGO key table. This file contains principal keys in the following format: HTTP/canonical_hostname@realmThe following example shows a key in the key table:
HTTP/diamond.subnet2.ibm.com@IBM.COM
The Kerberos krb5.conf configuration file contains the [domain_realm] stanza. This stanza contains entries that define the supported Kerberos realms. For details about this configuration file, see your Kerberos documentation.
Parent topic: Web security server not starting