Hi Joe,

The error 0x96c73a44 indicates the following:
REALM Name does not match what is in the Microsoft Active Directory KDC

I’ve seen this issue before. You need to use navigator and open the properties of the new Realm. There you need to be sure that the AD controller\Windows server you use for that Realm are in the same domain as the Realm.

Regards,
Tsvetan

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Sizer, Joseph via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, June 23, 2022 6:00:36 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Sizer, Joseph <JSizer@xxxxxxxxxx>
Subject: RE: Network Authentication Service with a second Realm

Hello Tsvetan,

Thank you for the suggestion.

I ran the kinit command without the "-k" and was prompted to enter the password. I entered the correct password and received:

Message 0x96c73a44 not found in catalog SKRBDLL.CAT
EUVF06014E Unable to obtain initial credentials.
Status 0x96c73a44 - N/A.
Message 0x96c73a44 not found in catalog SKRBDLL.CAT

I worked with the AD group and we attempted to enable select encryption types but received the same results.

Joe

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Tsvetan Marinov
Sent: Thursday, June 23, 2022 10:49 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Network Authentication Service with a second Realm

Hi Joe,

Can you try to run kinit against CORP.COMPANY.COM <http://corp.company.com/> ,without "-k," so you can test if your service account/binding password is correct.
You can try doing "keytab delete" and re-add using "keytab add" and re-test kinit -k for CORP.COMPANY.COM <http://corp.company.com/>.

In Navigator for i, check the properties of the realm that you are using the correct KDC servers. For example for me it works only if the KDC are within the same Realm-CORP.COMPANY.COM <http://corp.company.com/>

Regards,
Tsvetan

On Wed, 22 Jun 2022 at 15:23, Sizer, Joseph via MIDRANGE-L < midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

I have an established and working configuration for single sign-on for
my
V7R3 environment. My company is migrating our Active Directory domain
from "company.com" to "corp.company.com". We use a Microsoft Active
Directory for Kerberos authentication.

In attempting to set up a second Realm of corp.company.com, I went
into IBM Navigator for I and selected Security / Network
Authentication Service / Configuration Wizard and configured the
services necessary for single sign-on for the second realm. I
produced a .bat file which was run on the new corp.company.com domain controller.

I have also attempted to update the Realm properties by going to
Security / Network Authentication Service / Realms and added a second
Realm with the appropriate KDC.

I can see the entries in the keytab list and have verified that the
passwords match between NAS and AD. I have performed a kinit -k
krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx<mailto:
krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx> and gotten a proper
response. SSO is working with a 5250 session. I do not get a positive
response when attempting the same kinit -k command with the
CORP.COMPANY.COM command.

Does anyone have links to information or documentation that would
address adding a second realm to an existing and working NAS/EIM SSO configuration?


Joe Sizer
IBM I Power9 Administrator
Pencor Digital Services

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
Office: 610.826.9080 Ext. 2117

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.