Cannot acquire credentials

A user attempts to access WebSEAL and receives an HTML page with the following error:

HPDIA0114E Could not acquire a client credential.

This same message is written to the log file.

The user exists in the Active Directory user registry and presented valid SPNEGO authentication data, but the user does not exist in the ISAM user registry.

SPNEGO authentication requires the user exists in both the Active Directory and the ISAM user registries. If you believe the user exists in both user registries, verify the user ID produced by SPNEGO authentication matches what you expect. To see the user ID, complete the following steps:

1. Enable the pd.ias authentication trace by using the following pdadmin command:

   pdadmin sec_master> server task serverName trace set  \
   			pd.ias 9 file path=/tmp/ias.log
   

2. Have the same user attempt to access the Web server again. After this user receives the HPDIA0114E message, disable the authentication trace using the following pdadmin command:

   pdadmin sec_master> server task server trace set pd.ias 0

3. Examine the /tmp/ias.log file for a message similar to the following message:

   Mapped name user@realm to am_user

4. Ensure the am_user user is a defined user in the ISAM user registry.

Parent topic: Unable to authenticate