Error DPWAD1213E: Client not found in Kerberos database

Troubleshooting

Problem

Using a native kerberos delegation junction you may have an error in WebSeal message log like: An error occurred when creating the Kerberos token: Client not found in Kerberos database

Symptom

Capturing a TCP-IP trace you can see that the KDC returns error :

KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

Cause

In a delegation context involving multiple AD domain this can happen if the user that webseal impersonify is not found on the target KDC where the TGS-REQ arrives , this may be a consequence of a wrong rule defined in the kerberos-user-idenity entry for that junction and the user that has been used to authenticate to webseal.

Resolving The Problem

In order to solve the problem you need to first know which is a valid UPN for the target KDC then use a correct rule for the kerberos-user-idenity considering the following alternatives are available

kerberos-user-identity = username@domainkerberos-user-identity =usernamekerberos-user-identity =@domainkerberos-user-identity =fqdn

but also any attribute in the user credential as for instance :

kerberos-user-identity = attr:AZN_CRED_PRINCIPAL_NAME

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSeal AMP Appliance","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"8.0.1;9.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

Error DPWAD1213E: Client not found in Kerberos database

Troubleshooting

Problem

Symptom

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?