Wrong principal in request
A user attempts to access Reverse Proxy and receives an HTML page with the following error:
HPDIA0100E An internal error has occurred.The trace log file contains the following message:
HPDST0130E The security service function gss_accept_sec_context returned
the error 'Wrong principal in request' (code 0x96c73a90/-1765328240). The server principal name (SPN) supplied by the client in the SPNEGO authentication header does
not match the SPN being used by the Reverse Proxy instance. This error can be caused in the
following situations:
- The user did not specify the fully qualified host name (FQHN) when you contact the Reverse Proxy instance. Clients must use the FQHN so that the Active Directory server can provide the client with an appropriate Kerberos authentication ticket.
- The Reverse Proxy instance is configured to use the wrong SPN. The host name portion of the
principal in the Kerberos key table must match the host name that is being used by the client to
contact the Reverse Proxy instance. If the principal name in the key table is incorrect, the key
table must regenerate on the key distribution center (KDC) by using the ktpass
command with the –princ option. The value that is specified for the
–princ option must be the same host name that client uses to contact
the Reverse Proxy instance. For example, for clients to contact the Reverse Proxy instance at
https://diamond.example.ibm.comand the Reverse Proxy instance is in theIBM.COMKerberos realm, specify the following value for the –princ option:HTTP/diamond.example.ibm.com@IBM.COM