IBM Support

How to resolve MSGSY1018 when connecting to the IBM i using single sign on.

Troubleshooting


Problem

When Single Sign On is configured for an IBM i and has been working, sometimes users encounter the following error message when connecting to the system:
MSGSY1018 : Kerberos credential could not be mapped for users.

Or
CWBSY1018 rc 613

Cause

This issue is normally the result of a mismatch between the LDAP and EIM cn=Administrator passwords.

Resolving The Problem

To resolve this issue, I would recommend first checking the LDAP job log on the IBM i. If you are using the default server this job is the QUSRDIR job. Check for a GLD0120 error in the job log. If you find this error continue with the following steps to resolve the issue.

Heritage IBM Navigator for i (V7R2 and below)

NOTE: The steps are done from the IBM Navigator for i page (http://systemName:2004/ibm/console or https://systemName:2005/ibm/console).
Update the LDAP cn=Administrator password:
  1. Navigate to Network -> Servers -> TCP IP Servers in Navigator for i
    image 5287
  2. Right-click on IBM Tivoli Directory Server (LDAP) and select Properties.
    image 5288
  3. Click the Password button and set the LDAP administrator password and set the password.
    image 5290
  4. Click OK to set the password, then click OK again at the bottom of the properties window.
  5. Ensure the EIM password matches the LDAP password. In Navigator (Network) expand Enterprise Identity Mapping
  6. Select configuration, then right-click on the EIM domain controller and select Properties.
    image 5296
  7. Select the "System User" tab, then click the Password button and set the password the same as the LDAP administrator password.
    image 5297
  8. Click OK, then click OK again at the bottom of the properties window.
  9. Try to connect again via a session using Single Sign-On.

IBM Navigator for i (V7R3 and above)

NOTE: The steps are done from the IBM Navigator for i page (http://systemName:2002/Navigator or https://systemName:2003/Navigator).
Update the LDAP cn=Administrator password:
  1. Double click on the system to manage, then on the left menu hover over the Network icon image-20220805095826-2and click on Servers --> TCP/IP Servers:

     image-20220805095716-1
  2. Right-click on 'Directory Server (LDAP)' and select Properties:

    image-20220805100000-3
  3. Click the Password button and set the LDAP administrator password and set the password:

    image-20220805100137-4
  4. Click OK on the password change prompt, and a second time on the properties page.
  5. Ensure the EIM password matches the LDAP password. On the left menu click on the Security image-20220805100504-6  icon then click on 'Enterprise Identity Mapping' -> 'Configuration':

    image-20220805100449-5
  6. Select configuration, then right-click on the EIM domain controller and select Properties.

    image-20220805100605-7
  7. Select the "System User" tab, then click the 'Set Password' button and set the password the same as the LDAP administrator password:

    image-20220805100722-8
  8. Click OK on the 'Set Password' prompt and a second time on the 'Configuration Properties' window.
  9. Try to connect again via a session using Single Sign-On.
The error received when trying to connect should now be resolved. If not, contact IBM Software Support for additional assistance.

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CJ7AAM","label":"Single Sign On-\u003EEnterprise Identity Mapping"}],"ARM Case Number":"TS003995765","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Version(s)","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
05 August 2022

UID

ibm16254289

Page Feedback