Application connection problems and recovery

Here are some of the common errors in Kerberos-enabled IBM® i interfaces and their recovery methods.

Table 1. Common errors in Kerberos-enabled IBM i interfaces
Problem Recovery
You receive this error: Unable to obtain name of default credentials cache. Determine if the user who signed on to the IBM i platform has a directory in the /home directory. If the directory for the user does not exist, create a home directory for the credentials cache.
CPD3E3F: Network Authentication Service error &2 occurred. See the specific recovery information that corresponds with this message.
DRDA/DDM connection fails on a IBM i platform that was previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and DRDA/DDM connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, follow these steps:

    Delete the default realm specified in the network authentication service configuration.

  2. If you are using Kerberos authentication, follow these steps:
    1. Reconfigure network authentication service specifying the default realm and Kerberos server that you created in Step 1.
    2. Configure IBM i Access Client Solutions applications to use Kerberos authentication. This sets Kerberos authentication on all IBM i Access Client Solutions applications, including DRDA/DDM. (See Scenario: Enabling single sign-on for IBM i.)
QFileSvr.400 connection fails on a IBM i platform that was previously connected. Check to see if the default realm specified during network authentication service configuration exists. If a default realm and Kerberos server have not been configured, the network authentication service configuration is incorrect and QFileSvr.400 connections will fail. To recover from this error, you can do one of the following tasks:
  1. If you are not using Kerberos authentication, follow these steps:

    Delete the default realm specified in the network authentication service configuration.

  2. If you are using Kerberos authentication, follow these steps:
    1. Configure a default realm and Kerberos server on a secure system on the network. See the documentation that corresponds with that system.
    2. Reconfigure network authentication service specifying the default realm and Kerberos server that you create in Step 1.
    3. Configure IBM i Access Client Solutions applications to use Kerberos authentication. This will set Kerberos authentication on all IBM i Access Client Solutions applications, including DRDA/DDM. (See Scenario: Enabling single sign-on for IBM i.)
CWBSY1011: Kerberos client credentials not found. The user does not have a ticket-granting ticket (TGT). This connection error occurs on the client PC when a user does not log into a Windows domain. To recover from this error, log into the Windows domain.
Error occurred while verifying connection settings. URL does not have host.
Note: This error occurs when you are using Enterprise Identity Mapping (EIM).
 To recover from this error, follow these steps:
  1. In IBM Navigator for i, expand IBM i Management > Network > Servers > TCP/IP Servers.
  2. Right-click Directory and select Properties.
  3. On the General page, validate that the administrator's distinguished name and password match those you entered during EIM configuration.
Error occurred while changing local directory server configuration. GLD0232: Configuration cannot contain overlapping suffixes.
Note: This error occurs when you are using Enterprise Identity Mapping (EIM).
 To recover from this error, follow these steps:
  1. In IBM Navigator for i, expand IBM i Management > Network > Servers > TCP/IP Servers.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
Error occurred while verifying connection settings. An exception occurred while calling an IBM i program. The called program is eimConnect. Details are: com.ibm.as400.data.PcmlException.
Note: This error occurs when you are using Enterprise Identity Mapping (EIM).
 To recover from this error, follow these steps:
  1. In IBM Navigator for i, expand IBM i Management > Network > Servers > TCP/IP Servers.
  2. Right-click Directory and select Properties.
  3. On the Database/Suffixes page, remove any ibm-eimDomainName entries and reconfigure EIM.
A Kerberos ticket from remote system cannot be authenticated.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that Kerberos is configured properly on all your systems. This error might indicate a security violation. Try the request again. If the problem persists contact IBM Customer Support.
Cannot retrieve Kerberos service ticket.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Verify that the Kerberos principal krbsvr400/IBM i fully qualified host name@REALM is in the Kerberos server as well as the keytab file for each of your systems. To verify whether the Kerberos principal is entered in the Kerberos server, see Adding IBM i principals to the Kerberos server. To verify whether the Kerberos service principal names are entered in the keytab file, see Managing keytab files for details.
Kerberos principal is not in a trusted group.
Note: This error occurs when you are configuring Management Central systems to use Kerberos authentication.
Add the Kerberos principal for the system that is trying to connect to this system to your trusted group file. To recover from this error, follow these steps:
  1. Set the central system to use Kerberos authentication.
  2. Collect system values inventory.
  3. Compare and update.
  4. Restart Management Central servers on the central system and the target systems.
  5. Add Kerberos service principal to the trusted group file for all endpoint systems.
  6. Allow trusted connections.
  7. Restart Management Central servers on the central system and the target systems.
  8. Test authentication on Management Central servers.