Troubleshooting
Problem
Below is a list of common Enterprise Identity Mapping (EIM) and Network Authentication Service (NAS) errors and their solutions.
Resolving The Problem
The following are errors that are seen either when testing Network Authentication with a 'kinit -k' or in the QZSOSIGN joblog:
| Symptom Code | Error Description | Solution |
| 0x80090304 | Error in Systemi Access for Windows Detail trace kerb::InitializeSecurityContext() failed rc=0x80090304 kerb::mapSSPItoRC: sec_e_internal_error -> cwb_intenal_error |
Change Encryption to AES |
| 0x96c73a06 | EUVF06014E Unable to obtain initial credentials Status 0x96c73a06 - Client principal is not found in security registry. |
The SPN (Service Principle Name) is not or multiple available in the Windows Active Directory. Solution 1: We can run the command "ldifde -m -f output.txt" from Windows Active Directory to create a list of all the users and we can check for duplicate service principal entries. Solution 2: Reset the password for the Active Directory Service principal account so that it matches what is in the IBM i keytab list Solution 3: Check information for symptom/error code 96c73a0e |
| 0x96c73a0e | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a0e - Encryption type is not supported. |
Often seen on Windows 2008 domains and Windows 7 systems. This domain do not support DES encryption by default. Solution 1: Since end of 2011 the encryption AES is available for R540 and above. The following document describes this issue: https://www.ibm.com/support/pages/node/684323 Solution 2: Another way is to enable DES on Windows 2008 Active Directory which is described in Microsoft KB 977321. |
| 0x96c73a12 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a12 - Client Account revoked. |
Solution: Recreate account on Windows Active Directory and reassign it with command KTPASS |
| 0x96c73a17 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a17 - Password is expired. |
Solution:Password is expired for Windows Active Directory service principal account. Reset the password to match the password in the keytab list on the IBM i. |
| 0x96c73a1f | 0x96c73a1f - Integrity check fails (srv_gss_bind) 0x96c73a1f - KRB5KRB_AP_ERR_BAD_INTEGRITY |
Solution: Reset account on Windows Active Directory |
| 0x96c73a25 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a25 - Time differential exceeds maximum clock skew. |
This error indicates that the Microsoft Active Directory server clock and the IBM i system time are more then 5 minutes apart. Solution 1: Correct QTIME or modify QTIMZON to reflect correct offset. Solution 2: Correct the Microsoft Active Directory clock. Check the time zone and DST settings |
| 0x96c73a34 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a34 - Response too large for datagram. |
Mostly seen if Network Authentication Service is not configured for using TCP. Solution: How to activate TCP within Network Authentication Service: - open System i Navigator - open the system/partition - click on Security - right click on Network Authentication Service - select Properties - select General and check the box 'USE TCP' - click OK |
| 0x96c73a44 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a44 - N/A. |
REALM Name does not match what is in the Microsoft Active Directory KDC |
| 0x96c73a87 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a87 - Cannot open or find the Network Authentication Service configuration file. |
Solution 1: The '/qibm/userdata/os400/networkauthentication/krb5.conf'file does not exist or cannot be opened. Verify that file exists and is readable by all users. Solution 2: In WRKENVVAR LEVEL(*SYS) if a PATH Environment variable is set, make sure it includes '/usr/bin' and ':.:' |
| 0x96c73a88 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73a88 - Improper format of Network Authentication Service configuration file. |
The '/qibm/userdata/os400/networkauthentication/krb5.conf' file contains a syntax error. No details about the syntax error are available. Solution: Edit the configuration file to identify and correct the syntax error. |
| 0x96c73a8b | KRB5_CC_BADNAME | Typically found one QNTC or DDM kerberos, name resolution issue or the account is not set for delegation on the AD server Solution 1: Be sure name resolution is working correctly, set the krbsvr400 account to be trusted for delegation. |
| 0x96c73a8d | Matching credential is not found. | |
| 0x96c73a90 | CPD3E3F x'96c73a90' Kerberos Realm Name problem | The realm the IBMi is configured for does not match what the PC is using, for example; IBMi keytab is krbsvr400/system1.mycompany.com@INT.MYCOMPANY.COM but pc is using krbsvr400/system1.mycompany.com@MYCOMPANY.COM reconfigure SSO is best solution as mapping's may be wrong as well. |
| 0x96c73a94 | Clock skew has reached max value | |
| 0x96c73abc | KRB5_BAD_ENCTYPE | Often seen on Windows 2008 domains and Windows 7 systems. This domain do not support DES encryption by default. Solution 1: Since end of 2011 the encryption AES is available for R540 and above. The following document describes this issue: https://www.ibm.com/support/pages/node/684323 Solution 2: Another way is to enable DES on Windows 2008 AD which is described in Microsoft KB 977321. Solution 3: Check for "Trusted for Delegation"in the Microsoft Active Directory service principal account properties. |
| 0x96c73ac3 | EUVF06014E Unable to obtain initial credentials. Status 0x96c73ac3 - Credentials cache file does not exist. |
Solution 1: Create home directory for user ( mkdir '/home/userprofile' ) |
| 0x96c73adb | EUVF06014E unable to obtain initial credentials. Status 0x96c73adb - Security server is not defined for requested realm. |
Solution 1: Check CFGTCP opt. 12 and 10 settings to make sure we are able to resolve names properly using DNS. Solution 2: In the Network Authentication Service configuration check KDC name that is defined to make sure it is correct. |
| 0x96c73c0e | Profile has insufficient authority | |
| More Messages from 96c73A00 to 96c73CFF | ||
The following are errors seen on the PC when using either System i navigator or a 5250 session with kerberos authentication enabled: |
||
| Symptom Code | Error Description | Solution |
| CWB0999 RC8999 | Solution 1: The password for the 'krbsvr400' service principal account in Windows Active Directory needs to be reset using the same password that was setup during the Network Authentication Services configuration. Solution 2: You should also verify that the Windows Active Directory service principal account is set to the proper encryption algorithm |
|
| CWBSY1011 | The connection is configured to use your Kerberos principal name for security authentication. These credentials were not found on your workstation. For Windows workstations, you need to log on to a Microsoft Active Directory domain to receive kerberos credentials. | The Windows PC does not have a kerberos ticket Solution 1: Install latest service pack and maybe hotfixes for that (Windows) OS Solution 2: Make sure the Windows PC and the Microsoft Active Directory server are able to negotiate the same encryption algorithms like AES. For example, if you are connecting with an Windows 2008 server from a Windows XP machine it may not work, since XP wants to use DES (which is not enabled by default on Windows 2008). |
| CWBSY1012 | Solution 1: See the following document: https://www.ibm.com/support/pages/node/643791 Solution 2: See the following document https://www.ibm.com/support/pages/node/684323 |
|
| CWBSY1013 | Kerberos server cannot be contacted | If only one workstation is having this issue, this looks like the user is not logged in to the domain. To verify this, use the KERBTRAY.EXE tool from Microsoft and check the kerberos ticket. |
| CWBSY1017 | Access for Windows Kerberos Single Sign-ons were failing with message CWBSY1017, and CPD3E3F in the QZSOSIGN joblog. In both messages, the Major Code is x'000D0000' and the Minor Code is x'96C73A1F'. |
Solution 1: Reboot the PC Solution 2: The password for the principal name on the Microsoft Active Directory domain had been changed so that it no longer matched the password for that principal name on the IBM i configuration. The password on Microsoft Active Directory was changed back, and the Kerberos connections worked. |
| CWBSY1017 RC608 |
CWBSY1017 - Kerberos credentials not valid on server rc=608 The IBM i system apparently did not think the ticket received was intended for its service. |
Solution 1: Check and correct Hostname in CFGTCP Opt.12 and add it to the hosts table in CFGTCP Opt.10. |
| CWBSY1017 RC612 | CWBSY1017 - Kerberos credentials not valid on server rc=612 |
Solution 1: Synchronize passwords to make sure the Microsoft Active Directory service principal accounts match the IBM i accounts in the Network Authentication Server keytab list Solution 2: Using WRKJOB QZSOSIGN from an operating system command line, we may find a CPD3E3F - network authentication service error message with a major code of '000D0000' and minor code of '96C73A25'. This indicates the clock does not match on the PC, Microsoft Active directory, and the IBM i. The PC, Microsoft Active Directory system and IBM i cannot be more then 5 minutes apart in their system time. |
| CWBSY1018 RC201 |
Solution 1: Check the case of the Windows ID and how it is registered in Microsoft Active Directory | |
| CWBSY1018 RC613 | Solution 1: Make sure that the LDAP server (typically QUSRDIR job) is active Solution 2: Make sure the EIM domain controller password matches the LDAP administrator password. In System i Navigator go to Netowkr --> Enterprise Identity Mapping and right click on 'Configuration' and click on 'Properties'. Set the 'cn=administrator' password to match the LDAP server's administrative password and click 'Verify connection'. If the connection is not successful the password needs to be reset within the LDAP server properties. Go to Network --> Servers --> TCP/IP and right click on 'IBM Tivoli Directory Server for IBM i' and click on 'Properties'. On the General tab click the 'Password' button next to the Administrator name to reset the password. Make this match what was set in the EIM domain controller. |
|
| CWBSY1018 RC615 | Solution 1: Make sure the 'Host.DomainName' from CFGTCP opt. 12 is listed in the system host table in CFGTCP 10 Solution 2: Make sure a '/home/userprofile' IFS directory exists to store credentials. Solution 3: Use the Enterprise Identity Mapping 'Test a mapping' function to see if a profile is associated with multiple identifiers. |
|
| EUVF02028E | The namesystem function detects an error. | Problem on Windows PC or Microsoft Active Directory KDC Solution: Check the Microsoft Active Directory KDC for Service Pack / Hot Fixes |
| EUVF06007E | Solution:Check for a '/home/userprofile' IFS directory for the user who is running the command | |
| EUVF06016E | Password not correct for that name | Solution 1: Check host name in the Microsoft Active Directory service principal account Solution 2: Possible multiple mappings in Microsoft Active Directory. Issue the command " ldifde -m -f output.txt" from Microsoft Active Directory and the search for duplicate service principal account entries. Solution 3: Reset password for the service principal account on Microsoft Active Directory |
| EUVF06022E | No default credentials cache found. | Solution: Create home directory for user ( mkdir '/home/userprofile' ) |
| EUVF06024E | Unable to retrieve principal from credentials cache name. | The klist command is unable to get the default principal name from the credentials cache. Solution :Activate TCP within Network Authentication Service: - open System i Navigator - open the system/partition - click on Security - right click on Network Authentication Service - select Properties - select General and check the box 'USE TCP' - click OK |
| More message from EUVF06000 to EUVF06999 | ||
-
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGrAAM","label":"Single Sign On"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 October 2023
UID
nas8N1020195