Troubleshooting single sign-on
Use the following troubleshooting methods to solve some of the basic problems you might experience while configuring and using a single sign-on environment.
There are several actions that you can take to circumvent problems
with your IBM® i single
sign-on configuration:
If you are still experiencing a problem with your single sign-on after reviewing the steps above, use the following table to determine possible solutions to the symptoms of your configuration problems:
Symptoms | Possible solutions |
---|---|
Host name resolution problems |
|
You are unable to connect to IBM i systems within your single sign-on environment. |
|
The NSLOOKUP utility fails to resolve a host name when given an IP address during an attempt to confirm that the host resolution is consistent between your System i system and a client PC. | The NSLOOKUP utility uses the currently configured DNS to resolve IP addresses from host names, as well as host names from IP addresses. If a host name cannot be resolved from an IP address, the most likely cause is a missing PTR record in DNS. Have your DNS administrator add a PTR record for this IP address. |
EIM configuration problems |
|
EIM mappings are not working as expected. In some instances, you are unable to sign into your system with System i Navigator when using Kerberos authentication. |
|
Network authentication service configuration problems |
|
A keytab entry is not found when you perform a keytab list. |
|
Users are unable to connect to systems. | Users might be unable to connect to systems if the EIM
registry definition for the Kerberos registry was inappropriately defined
as case sensitive. Delete and re-create the Kerberos registry. Note: You will
lose any associations that have been defined for that registry and will have
to re-create them.
|
User receives a message indicating an incorrect password when verifying the network authentication service configuration. | The password for the service in the KDC does not match the password for the service in the keytab. Update the keytab entry by using the keytab add command, and update the password for the service on the KDC. |
User receives the following message: Unable to obtain name of default credentials cache. | Verify that a home directory (/home/<user profile>) exists for the user that is performing the kinit. |
User receives the following message: Response too large for datagram. | Update the network authentication service configuration
to use TCP as the data communications protocol:
|
General problems |
|
You receive error message CWBSY10XX when attempting single sign-on. |
|