z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Logon problems troubleshooting table

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

Table 1. Troubleshooting Table: Logon Problems
Symptom Recommended Procedures for Logon Problems
Users cannot log on
Action:
  1. Check whether any error messages were issued for the user request and make sure that message IDs are included with the messages. If a batch job produced the output, check that the job statement had MSGLEVEL=(1,1) specified. If a TSO/E user had the problem, check that the user profile had these options: PROFILE WTPMSG MSGID.
  2. If only one or a few users cannot log on, check that they are using the current password. If no users can log on, do the rest of this procedure.
  3. There might be a password synchronization problem, which you should be able to recognize because the user's old password is either accepted as correct or as expired. Enter a RACLINK LIST command on each system to check the user's user ID association if that's what is being used to synchronize passwords.
  4. If the database should have been updated by a command that was issued on another system in the RACF® remote sharing facility (RRSF) network, check the status of the connection with a TARGET LIST on this system and the originating system. Also, check the RRSFDATA profiles on the originating system.
  5. Check the system date in effect for the current system IPL. If the wrong date is in effect, users who cannot log on might have the REVOKE attribute in their user profiles. See z/OS Security Server RACF Security Administrator's Guide for more information about the REVOKE attribute.
  6. If you are sharing your database with other systems, make sure that all systems sharing the database are using the same password authentication algorithm, and that there has not been a period of time when the systems were using different algorithms.

    The default password authentication algorithm for the RACF component of the SecureWay Security Server is the Data Encryption Standard (DES) algorithm. The default password authentication algorithm for RACF on MVS™ beginning with RACF 2.1 is the (DES) algorithm, but for releases previous to RACF 2.1 the default is the masking algorithm. Make sure that you have taken the correct steps to activate the algorithm that you intend to use on each system sharing the database. See z/OS Security Server RACF System Programmer's Guide for more information.

Users cannot log on
(continued)
  1. If you are using a PassTicket, make sure:
    • The PTKTDATA class has been activated and a class profile exists.
    • You do not try to use the same PassTicket more than once.
    • The GMT clock on the evaluating computer is within the valid time range.

    For more information, see z/OS Security Server RACF Security Administrator's Guide.

  2. See Performing a preliminary search for a matching problem.

    If you do not find a matching problem, you need to collect problem information to report to IBM®, using the procedures in the remainder of this list.

  3. Get a printed or online copy of the SMF records related to the logon problem. You need it to analyze the problem or report the problem to IBM.
  4. See Searching for a matching problem.
  5. See Reporting RACF problems to IBM.
Parent topic: Troubleshooting tables

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014