Troubleshooting single sign-on
Use the following troubleshooting methods to solve some of the basic problems you might experience while configuring and using a single sign-on environment.
There are several actions that you can take to circumvent
problems with your IBM® i single
sign-on configuration:
If you are still experiencing a problem with your single sign-on after reviewing the steps above, use the following table to determine possible solutions to the symptoms of your configuration problems:
Symptoms | Possible solutions |
---|---|
Host name resolution problems |
|
You are unable to connect to IBM i systems within your single sign-on environment. |
|
The NSLOOKUP utility fails
to resolve a host name when given an IP address during an attempt
to confirm that the host resolution is consistent between your IBM i system and a client
PC. |
The NSLOOKUP utility uses the
currently configured DNS to resolve IP addresses from host names,
as well as host names from IP addresses. If a host name cannot be
resolved from an IP address, the most likely cause is a missing PTR
record in DNS. Have your DNS administrator add a PTR record for this
IP address. |
EIM configuration problems |
|
EIM mappings are not working as expected. In some instances, you are unable to sign into your system with IBM i Access Client Solutions when using Kerberos authentication. |
|
Network authentication service configuration problems |
|
A keytab entry is not found
when you perform a keytab list . |
|
Users are unable to connect to systems. | Users might be unable to connect to systems
if the EIM registry definition for the Kerberos registry was inappropriately
defined as case sensitive. Delete and re-create the Kerberos registry. Note: You
will lose any associations that have been defined for that registry
and will have to re-create them.
|
User receives a message indicating an incorrect password when verifying the network authentication service configuration. | The password for the service in the KDC does not match the password for the service in the keytab. Update the keytab entry by using the keytab add command, and update the password for the service on the KDC. |
User receives the following message: Unable
to obtain name of default credentials cache . |
Verify that a home directory (/home/<user
profile>) exists for the user that is performing the kinit . |
User receives the following message: Response
too large for datagram. |
Update the network authentication service configuration
to use TCP as the data communications protocol:
|
General problems |
|
You receive error message CWBSY10XX when
attempting single sign-on. |
|