530 Login failed when using Kerberos with FTP

Troubleshooting

Problem

NAS is set up for Kerberos and FTP, EIM is configuring, SSO is functioning fine with 5250 Emulation. But when trying to FTP using Kerberos to another IBM i, also configured for SSO, the login fails.

Resolving The Problem

When FTPing to another IBM i, you will set the SECCNN parameter to *KERBEROS to utilize SSO.

The FTP session comes up with the expecting messages:
Connecting to the host <system name> at address <system addr> using port 21.
220-QTCP at <system name>.
220 Connection will close if idle more than 5 minutes.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accept as authentication type
GSSAPI authentication succeeded

Enter must be pressed at this point to complete the connection; however, it results with the following messages:
530 Login incorrect
User login failed

This occurs because delegation has not been set properly with krbsvr400 user on the AD server. You will need to access the properties of the user then select the Delegation tab. Change the setting to "Trust this user for delegation to any service (Kerberos only)".

The change will take affect the next time the 5250 Emulator is restarted, using Kerberos for authentication.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Tips

530 Login failed when using Kerberos with FTP

Troubleshooting

Problem

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?