Troubleshooting
Problem
This document provides information about some common problems that are seen when setting up a Single Sign-on using EIM and Network Authentication Services.
Resolving The Problem
Below you will find some common problems seen when setting up Single Sign-on using EIM and Network Authentication Services.
Before beginning a problem diagnosis, verify that you are current on cumulative PTF packages and that you have the latest Access Client Solutions service pack.
Problem 1: Unable to add EIM identifiers. When trying to open 'EIM domain management' in Navigator for i the following error is thrown:
Before beginning a problem diagnosis, verify that you are current on cumulative PTF packages and that you have the latest Access Client Solutions service pack.
Problem 1: Unable to add EIM identifiers. When trying to open 'EIM domain management' in Navigator for i the following error is thrown:
Error: NAV_307002: Failed to retrieve the domain list Details:Authentication error occurred. Verify that the logon DN and password are correct.
| o |
Ensure the Directory Services server is started. If it does not start, troubleshoot LDAP by submitting the following:
QMGTOOLS: EIM/SSO/LDAP Collector
https://www.ibm.com/support/pages/node/666879
|
| o | Ensure the cn=administrator password is correct for the Directory Services (LDAP) server. The CHGDIRSVRA CL command can be used to change the LDAP administrator password from the IBM i command line as follows (replace password with the password you would like to use):
If this does not resolve the problem, there might be a problem with the LDAP. Troubleshoot LDAP by submitting the following: QMGTOOLS: EIM/SSO/LDAP Collector
https://www.ibm.com/support/pages/node/666879
|
Problem 2: After running the kinit command you get an error - Unable to obtain name of default credentials cache.
Do the following:
Note: Similar errors concerning the default credentials may also be seen, but the default credentials CACHE refers to the
/home/user directory.
Note: Similar errors concerning the default credentials may also be seen, but the default credentials CACHE refers to the
/home/user directory.
| o |
Verify the current user has created a '/home/user' directory for whoever they are currently signed in as. From QSH, run the following command (Where username is the ID of the person who is signed in and setting up SSO.):
|
| o | Verify that this '/home/username' directory is set as the Home Directory for the user profile performing the kinit. This can be found by running the WRKUSRPRF command. Press F10 for additional parameters, and go to the bottom. |
Problem 3: After running the kinit command you get an error - Unable to contact security server.
The 'security server' is the KDC. In most cases, this is the Microsoft Windows Active Directory server. You should do the following:
| o | If there is a host table entry for the KDC, verify that the first name in the list is the fully qualified domain name. |
| o | Verify you have network connectivity to that server (ping the TCP/IP address). |
| Check the '/qibm/userdata/os400/networkauthentication/krb5.conf' IFS file to make sure the 'kdc' and 'kpasswd_server' parameters are set to a valid Active Directory host name. |
Problem 4: When attempting to use single sign-on, the following message is seen in ACS:
MSGSY1018
Perform the steps in the following documentation:
| o |
How to resolve MSGSY1018 when connecting to the IBM i using single sign on.
https://www.ibm.com/support/pages/node/6254289
|
Problem 5: Message X'000D000 is shown in the QZSOSIGN joblog. Do the following:
| o | Take note of the 0x96c73xxx error code (the last xxx will be something like 'abc'). |
| o | On the operating system command line, type the following:
Press the Enter key. Select Option 5 to display the file, and search for the 0x96C73xxx error code. It will be associated with another message description (though it may be too cryptic to determine without development assistance). |
| o | For example: 0x96c73a08 says "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE". |
x 025ea101 Keytab Entry Not Found
| o | Validate host table(s) entries in CFGTCP opt. 10. |
| o | Host table must match what is in the keytab file. |
| o | In STRQSH type the following to see what is in the Keytab file:
|
Problem 6: Password Incorrect Message after kinit command
| o |
Password does not match between the Active Directory service principal account and the IBM i keytab file. Try doing the kinit again, but without the -k. This will prompt for a password. Type the password that was created in NAS and for the profile in AD. If it works when you manually type the password, then NAS has the wrong password. We then need to perform the instructions in the following documentation to synchronize the passwords:
Changing NAS (Network Authentication Service) Password to Match Active Directory Password for EUVF06016E Password Not Correct https://www.ibm.com/support/pages/node/684993
|
Problem 7: Keytab Entry Not Found after Doing kinit command
| o | Check DNS entries in CFGTCP opt. 12 and opt. 10 |
| o |
Check Keytab List by running the following command in STRQSH:
|
| o | DNS names must be lowercase |
| o | Realm (Windows domain) names must be uppercase; for example, krbsvr400/ibmi.fully.qualified.name@AD.DOMAIN.NAME |
Additional Troubleshooting:
If the above steps do not help resolve the issue, please open a support case through the 'https://www.ibm.com/mysupport' Support Portal and gather the following data:
| 1. |
On the PC we'll want to open a command prompt and type the following to purge the Kerberos tickets:
|
| 2. |
On the PC we'll then want to start a Wireshark trace using the following instructions:
https://www.ibm.com/support/pages/node/636627 NOTE: We will want to select all Ethernet interfaces available when starting the trace. |
| 3. | We then need to lock the PC by holding the Windows key + L and then sign back in. Then reproduce the problem and send in the resulting Wireshark trace file. |
| 4. | Send in the ACS Service Log file. |
| 5. |
On the Active Directory system we'll want to run the following commands to check for duplicate service principal accounts:
NOTE: These are all one command and it will create a file 'check_SPN.txt' and 'check_SPN2.txt' that we'll want sent in for review.
|
| 6. |
We'll also want to gather an EIM/LDAP collector using the following steps:
- On the IBM i command line type the following command:
If the library is found follow steps B and C below. If the library is not found we will want to do steps A - C to install QMGTOOLS and update it:
A) On the IBM i command line type the following to restore the QMGTOOLS library (NOTE: QALWOBJRST system value needs to be set to *ALL):
B) We can then run the following commands:
C) Take an opt. 13 to check for an update and follow the prompts to automatically download and restore the updated library.
- Uploading data to IBM requires a data transfer ID. Ensure that you create a transfer ID and transfer PASSWORD.
https://www.secure.ecurep.ibm.com/transferids/#
- We can then run the following command to run our EIM/LDAP collector and automatically send the data back to the case (replace 'LDAPpassword' with the 'cn=Administrator' password and replace 'case' with your TS####### case number):
Should the tool be unable to send in the collector zip file it can be located in the following IFS directory: /tmp/collectorscripts/data/ldapcollector.zip
We would want to pull this off the system and then upload it to the case.
|
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGrAAM","label":"Single Sign On"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
319249546
Was this topic helpful?
Document Information
Modified date:
11 September 2024
UID
nas8N1016361