Preventing errors

The following checklist describes the errors that might cause a PassTicket to fail. To prevent these errors from occurring:

Read the list before you use the PassTicket.
Review your process to ensure that you have entered all of the information correctly.
Verify the information by using the procedures described in Verifying the secured signon environment.

Use this checklist to prevent or correct errors:

The PTKTDATA class is activated.
You issued the SETROPTS RACLIST(PTKTDATA) command.
You issued the SETROPTS RACLIST(PTKTDATA) REFRESH command after defining the profile.
A PTKTDATA class profile exists for the application.
You issued the RDEFINE command correctly.
A protected user ID may not be used for PassTicket authentication.

Even if you have followed the proper procedures, it is still possible to receive a message stating that a password is incorrect and be denied access to the application. This can occur if:

PassTicket replay protection is not being bypassed, and the PassTicket was used previously for this user, application, and time range.
In this case, RACF® generates an SMF record that logs an attempt to replay a PassTicket.
The GMT clock on the evaluating computer is outside the valid time range for the PassTicket.
This can be caused by one of the following:
- The GMT clock on the generating computer and the clock on the evaluating computer are not reasonably synchronized.
- The PassTicket was not used within approximately 10 minutes of being generated.
- The system clock on the evaluating computer might not be set correctly in relation to GMT. See the information about time considerations in How RACF processes the PassTicket.