About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Troubleshooting
Problem
The IBM Security Access Manager appliance Reverse Proxy instance is configured for SPNEGO Kerberos authentication but after the changes are deployed the instance fails to start.
Symptom
The IBM Security Access Manager appliance Reverse Proxy instance has been configured for SPNEGO Kerberos authentication but fails to start. The following message types may be observed in the instance's message log (where <hostname_of_web_site> is the web site address) :
0x30923082 webseald ERROR bst general amstli.c 2681 0x7f0426b4d720 --
HPDST0130E The security service function gss_acquire_cred returned the error 'Unspecified GSS failure. Minor code may provide more information' (code 0x000d0000/851968).
0x30923082 webseald ERROR bst general amstli.c 2699 0x7f0426b4d720 --
HPDST0130E The security service function gss_acquire_cred returned the error 'No key table entry found matching HTTP/<hostname_of_web_site>@' (code 0x025ea101/39756033).
0x13212064 webseald ERROR ias general ivpam.c 620 0x7f0426b4d720 --
HPDIA0100E An internal error has occurred.
0x13212064 webseald WARNING ias general pdauthn.cpp 1813 0x7f0426b4d720 --
HPDIA0100E An internal error has occurred.
0x38CF096A webseald ERROR wwa spnego authn-spnego.cpp 386 0x7f0426b4d720 --
DPWWA2410E Initialization of Kerberos authentication for server principal 'HTTP@<hostname_of_web_site>' failed.
Cause
There may be a mismatch between the -princ parameter's value supplied in the ktpass command and the Kerberos Service Name entry setting. The Kerberos Service Name setting is the spnego-krb-service-name parameter in the instance's configuration file; this is updated in the LMI console under the Kerberos settings on the Authentication tab for the Reverse Proxy instance. The service name entry must also match the kptass -princ parameter value's character case setting (including the HTTP prefix).
Resolving The Problem
Ensure the ktpass -princ parameter's value is set with the correct character case and that the Reverse Proxy's Kerberos Service Name setting matches it exactly (including the character case). The value must be expressed as HTTP/<hostname_of_web_site>@ACTIVE_DIRECTORY_DOMAIN_NAME (note that upper case characters are used for the "HTTP" prefix and the Active Directory Domain Name).
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"8.0;9.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
More support for:
Tivoli Access Manager for e-business
Software version:
8.0, 9.0
Operating system(s):
Appliance
Document number:
259877
Modified date:
16 June 2018
UID
swg21700972
Manage My Notification Subscriptions