Wrong principal in request

A user attempts to access WebSEAL and receives an HTML page with the following error:

HPDIA0100E An internal error has occurred.

The trace log file contains the following message:

HPDST0130E The security service function gss_accept_sec_context returned
the error 'Wrong principal in request' (code 0x96c73a90/-1765328240). 

The server principal name (SPN) supplied by the client in the SPNEGO authentication header does not match the SPN being used by the Web security server. This error can be caused in the following situations:

• The user did not specify the fully qualified host name (FQHN) when you contact the Web security server. Clients must use the FQHN so the Active Directory server can provide the client with an appropriate Kerberos authentication ticket.
• The Web security server is configured to use the wrong SPN. The host name portion of the principal in the Kerberos key table must match the host name being used by the client to contact the Web security server. If the principal name in the key table is incorrect, the key table must regenerate on the key distribution center (KDC) using the ktpass command with the -princ option. The value specified for the -princ option must be the same host name that client uses to contact the Web security server. For example, for clients to contact the Web security server at https://diamond.example.ibm.com and the Web security server is in the IBM.COM Kerberos realm, specify the following value for the -princ option:

  HTTP/diamond.example.ibm.com@IBM.COM

You can use the am_ktutil program to examine the contents of the Kerberos key table.

Parent topic: Unable to authenticate