We have SSO configured and working for a good portion of our client
machines. I have six machines that fail. If the users come to my
machine and log in SSO works. If I go to theirs, I fail.
On their machines, an ipconfig /all shows that I have the right domain,
DNS server, etc. I can ping the fully qualified domain name of the
iSeries. A check of the FQDN and the ip address for the iSeries shows
that I am translating between the two correctly.
When I attempt to validate the kerberos authenticated connection in
iSeries Navigator, Security/DDM/Telnet work, but all other host servers
fail with CWBSY1017 Kerberos credentials not valid on server
ISERIES.US.COMPANYNAME.COM rc=612. Running diagnostic tools shows that
the IP addresses are resolving, but that the connections are failing with
the same error message already listed. That error message doesn't make
much sense to me as the computer right next it can work with the very same
configuration--it's hard to see how this can be a mismatched password on
the principals.
I've tried the standard debug procedures: going into QSH, running
Kinit/Keytab/Kinit -k krbsvr etc and find no errors. If I take the
connection defined for keberos and change it to validate based on a
default user, everything works fine. I've downloaded Microsoft's kerbtray
and verified that the client is receiving a ticket for krbsvr. I've gone
through a call to IBM, and got back the following:
I honestly don't think there is much we can do for you
from the iSeries side however because the only thing not working is a
single PC. EIM allows you to map users but it has nothing to do with
what
PC they log on with. It sounds like no matter who logs on from that
PC,
they don't work but they work at other PCs. The only thing I can
suggest
is to verify that all network configuration is exactly the same on that
PC
as others and that it is at the same fix level, also possibly try
rebooting
it.
We have updated all the PCs in question to the latest and greatest Client
Access at V5R4, installed all of the outstanding Microsoft patches, turned
off the Window's firewall, etc. Checking with our local users group, we
find that others have the same problem--the majority of computers work,
some simply can't be made to work.
Are there any low level checks that I have missed? All of the stuff I can
Google involves high level checks like verifying that the computer doesn't
have a host file entry (check), ensuring that the iSeries FQDN works
(check), ensuring that the iSeries and principals passwords are in sync
(check), verifying EIM mapping (check), using NSLOOKUP on the iSeries ip
address and name (check and check).
As an Amazon Associate we earn from qualifying purchases.