IBM Support

Enterprise Identity Mapping (EIM)/Network Authentication Services (NAS) Error Codes and Solutions

Troubleshooting


Problem

Below is a list of common Enterprise Identity Mapping (EIM) and Network Authentication Service (NAS) errors and their solutions.

Resolving The Problem

The following are errors that are seen either when testing Network Authentication with a 'kinit -k' or in the QZSOSIGN joblog:

Symptom CodeError DescriptionSolution
0x80090304Error in Systemi Access for Windows Detail trace
     kerb::InitializeSecurityContext() failed rc=0x80090304
     kerb::mapSSPItoRC: sec_e_internal_error -> cwb_intenal_error
Change Encryption to AES
0x96c73a06EUVF06014E Unable to obtain initial credentials
             Status 0x96c73a06 - Client principal is not found in
             security registry.
The SPN (Service Principle Name) is not or multiple available in the Windows Active Directory.

Solution 1:
We can run the command "ldifde -m -f output.txt" from Windows Active Directory to create a list of all the users and we can check for duplicate service principal entries.

Solution 2:
Reset the password for the Active Directory Service principal account so that it matches what is in the IBM i keytab list

Solution 3:
Check information for symptom/error code 96c73a0e
0x96c73a0eEUVF06014E Unable to obtain initial credentials.                
             Status 0x96c73a0e - Encryption type is not supported.
Often seen on Windows 2008 domains and Windows 7 systems. This domain do not support DES encryption by default.

Solution 1:
Since end of 2011 the encryption AES is available for R540 and above. The following document describes this issue:

http://www.ibm.com/support/docview.wss?uid=nas8N1010903

Solution 2:
Another way is to enable DES on Windows 2008 Active Directory which is described in Microsoft KB 977321.
0x96c73a12EUVF06014E Unable to obtain initial credentials.               
              Status 0x96c73a12 - Client Account revoked.
Solution: Recreate account on Windows Active Directory and reassign it with command KTPASS
0x96c73a17EUVF06014E Unable to obtain initial credentials.  
             Status 0x96c73a17 - Password is expired.
Solution:Password is expired for Windows Active Directory service principal account. Reset the password to match the password in the keytab list on the IBM i.
0x96c73a1f0x96c73a1f - Integrity check fails (srv_gss_bind)

0x96c73a1f - KRB5KRB_AP_ERR_BAD_INTEGRITY
Solution: Reset account on Windows Active Directory

0x96c73a25EUVF06014E Unable to obtain initial credentials.
Status 0x96c73a25 - Time differential exceeds maximum clock skew.
This error indicates that the Microsoft Active Directory server clock and the IBM i system time are more then 5 minutes apart.

Solution 1: Correct QTIME or modify QTIMZON to reflect correct offset.

Solution 2: Correct the Microsoft Active Directory clock. Check the time zone and DST settings
0x96c73a34EUVF06014E Unable to obtain initial credentials.
           Status 0x96c73a34 - Response too large for
                   datagram.
Mostly seen if Network Authentication Service is not configured for using TCP.

Solution: How to activate TCP within Network Authentication Service:
          - open System i Navigator
          - open the system/partition
          - click on Security
          - right click on Network Authentication Service
          - select Properties
          - select General and check the box 'USE TCP'
- click OK
0x96c73a44EUVF06014E Unable to obtain initial credentials.
             Status 0x96c73a44 - N/A.
REALM Name does not match what is in the Microsoft Active Directory KDC
0x96c73a87EUVF06014E Unable to obtain initial credentials.
             Status 0x96c73a87 - Cannot open or find the Network Authentication Service configuration file.

Solution 1:
The '/qibm/userdata/os400/networkauthentication/krb5.conf'file does not exist or cannot be opened. Verify that file exists and is readable by all users.

Solution 2:
In WRKENVVAR LEVEL(*SYS) if a PATH Environment variable is set, make sure it includes '/usr/bin' and ':.:'
0x96c73a88EUVF06014E Unable to obtain initial credentials.
             Status 0x96c73a88 - Improper format of Network
                 Authentication Service configuration file.
The '/qibm/userdata/os400/networkauthentication/krb5.conf' file contains a syntax error. No details about the syntax error are available.

Solution:
Edit the configuration file to identify and correct the syntax error.
0x96c73a8b
KRB5_CC_BADNAMETypically found one QNTC or DDM kerberos, name resolution issue or the account is not set for delegation on the AD server
Solution 1:
Be sure name resolution is working correctly, set the krbsvr400 account to be trusted for delegation.
0x96c73a8dMatching credential is not found.
0x96c73a90CPD3E3F x'96c73a90' Kerberos Realm Name problemThe realm the IBMi is configured for does not match what the PC is using, for example; IBMi keytab is krbsvr400/system1.mycompany.com@INT.MYCOMPANY.COM but pc is using
krbsvr400/system1.mycompany.com@MYCOMPANY.COM
reconfigure SSO is best solution as mapping's may be wrong as well.
0x96c73a94
Clock skew has reached max value
0x96c73abcKRB5_BAD_ENCTYPEOften seen on Windows 2008 domains and Windows 7 systems. This domain do not support DES encryption by default.

Solution 1:
Since end of 2011 the encryption AES is available for R540 and above. The following document describes this issue:

http://www.ibm.com/support/docview.wss?uid=nas8N1010903

Solution 2:
Another way is to enable DES on Windows 2008 AD   which is described in Microsoft KB 977321.

Solution 3:
Check for "Trusted for Delegation"in the Microsoft Active Directory service principal account properties.
0x96c73ac3EUVF06014E Unable to obtain initial credentials.
              Status 0x96c73ac3 - Credentials cache file does
                    not exist.
Solution 1: Create home directory for user ( mkdir '/home/userprofile' )
0x96c73adbEUVF06014E unable to obtain initial credentials.                     
            Status 0x96c73adb - Security server is not defined
              for requested realm.                                    
Solution 1: Check CFGTCP opt. 12 and 10 settings to make sure we are able to resolve names properly using DNS.

Solution 2:
In the Network Authentication Service configuration check KDC name that is defined to make sure it is correct.
0x96c73c0eProfile has insufficient authority


More Messages from 96c73A00 to 96c73CFF




The following are errors seen on the PC when using either System i navigator or a 5250 session with kerberos authentication enabled:
Symptom CodeError DescriptionSolution
CWB0999 RC8999
Solution 1: The password for the 'krbsvr400' service principal account in Windows Active Directory needs to be reset using the same password that was setup during the Network Authentication Services configuration.

Solution 2:
You should also verify that the Windows Active Directory service principal account is set to the proper encryption algorithm
CWBSY1011The connection is configured to use your Kerberos principal name for security authentication. These credentials were not found on your workstation. For Windows workstations, you need to log on to a Microsoft Active Directory domain to receive kerberos credentials.The Windows PC does not have a kerberos ticket

Solution 1:
Install latest service pack and maybe hotfixes for that (Windows) OS

Solution 2:
Make sure the Windows PC and the Microsoft Active Directory server are able to negotiate the same encryption algorithms like AES. For example, if you are connecting with an Windows 2008 server from a Windows XP machine it may not work, since XP wants to use DES (which is not enabled by default on Windows 2008).
CWBSY1012
Solution 1: See the following document:
http://www.ibm.com/support/docview.wss?uid=nas8N1019073
Solution 2: See the following document
http://www.ibm.com/support/docview.wss?uid=nas8N1010903
CWBSY1013Kerberos server cannot be contactedIf only one workstation is having this issue, this looks like the user is not logged in to the domain. To verify this, use the KERBTRAY.EXE tool from Microsoft and check the kerberos ticket.
CWBSY1017Access for Windows Kerberos Single Sign-ons were failing with message
CWBSY1017, and CPD3E3F in the QZSOSIGN joblog.  In both messages,
the Major Code is x'000D0000' and the Minor Code is x'96C73A1F'.
Solution 1: Reboot the PC

Solution 2:
The password for the principal name on the Microsoft Active Directory domain had been changed so that it no longer matched the password for that principal name on the IBM i configuration. The password on Microsoft Active Directory was changed back, and the Kerberos connections worked.
CWBSY1017
RC608
CWBSY1017 - Kerberos credentials not valid on server rc=608

The IBM i system apparently did not think the ticket received was intended for its service.
Solution 1: Check and correct Hostname in CFGTCP Opt.12 and add it to the hosts table in CFGTCP Opt.10.
CWBSY1017 RC612CWBSY1017 - Kerberos credentials not valid on server
rc=612
Solution 1: Synchronize passwords to make sure the Microsoft Active Directory service principal accounts match the IBM i accounts in the Network Authentication Server keytab list

Solution 2:
Using WRKJOB QZSOSIGN from an operating system command line, we may find a CPD3E3F - network authentication service error message with a major code of '000D0000' and minor code of '96C73A25'. This indicates the clock does not match on the PC, Microsoft Active directory, and the IBM i. The PC, Microsoft Active Directory system and IBM i cannot be more then 5 minutes apart in their system time.
CWBSY1018
RC201

Solution 1: Check the case of the Windows ID and how it is registered in Microsoft Active Directory
CWBSY1018 RC613

Solution 1: Make sure that the LDAP server (typically QUSRDIR job) is active

Solution 2:
Make sure the EIM domain controller password matches the LDAP administrator password. In System i Navigator go to Netowkr --> Enterprise Identity Mapping and right click on 'Configuration' and click on 'Properties'. Set the 'cn=administrator' password to match the LDAP server's administrative password and click 'Verify connection'.

If the connection is not successful the password needs to be reset within the LDAP server properties. Go to Network --> Servers --> TCP/IP and right click on 'IBM Tivoli Directory Server for IBM i' and click on 'Properties'. On the General tab click the 'Password' button next to the Administrator name to reset the password. Make this match what was set in the EIM domain controller.
CWBSY1018 RC615

Solution 1: Make sure the 'Host.DomainName' from CFGTCP opt. 12 is listed in the system host table in CFGTCP 10

Solution 2:
Make sure a '/home/userprofile' IFS directory exists to store credentials.

Solution 3:
Use the Enterprise Identity Mapping 'Test a mapping' function to see if a profile is associated with multiple identifiers.



EUVF02028EThe namesystem function detects an error.Problem on Windows PC or Microsoft Active Directory KDC

Solution:
Check the Microsoft Active Directory KDC for Service Pack / Hot Fixes
EUVF06007E
Solution:Check for a '/home/userprofile' IFS directory for the user who is running the command
EUVF06016EPassword not correct for that nameSolution 1: Check host name in the Microsoft Active Directory service principal account

Solution 2:
Possible multiple mappings in Microsoft Active Directory. Issue the command " ldifde -m -f output.txt" from Microsoft Active Directory and the search for duplicate service principal account entries.

Solution 3:
Reset password for the service principal account on Microsoft Active Directory
EUVF06022ENo default credentials cache found.Solution: Create home directory for user ( mkdir '/home/userprofile' )
EUVF06024EUnable to retrieve principal from credentials cache name.The klist command is unable to get the default principal name from the credentials cache.

Solution :
Activate TCP within Network Authentication Service:
          - open System i Navigator
          - open the system/partition
          - click on Security
          - right click on Network Authentication Service
          - select Properties
          - select General and check the box 'USE TCP'
- click OK



More message from EUVF06000 to EUVF06999

-
                       

Related Information

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
18 December 2019

UID

nas8N1020195