Hi Joe,
The error 0x96c73a44 indicates the following:
REALM Name does not match what is in the Microsoft Active Directory KDC
I’ve seen this issue before. You need to use navigator and open the properties of the new Realm. There you need to be sure that the AD controller\Windows server you use for that Realm are in the same domain as the Realm.
Regards,
Tsvetan
Get Outlook for iOS<
https://aka.ms/o0ukef>
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Sizer, Joseph via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, June 23, 2022 6:00:36 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Sizer, Joseph <JSizer@xxxxxxxxxx>
Subject: RE: Network Authentication Service with a second Realm
Hello Tsvetan,
Thank you for the suggestion.
I ran the kinit command without the "-k" and was prompted to enter the password. I entered the correct password and received:
Message 0x96c73a44 not found in catalog SKRBDLL.CAT
EUVF06014E Unable to obtain initial credentials.
Status 0x96c73a44 - N/A.
Message 0x96c73a44 not found in catalog SKRBDLL.CAT
I worked with the AD group and we attempted to enable select encryption types but received the same results.
Joe
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Tsvetan Marinov
Sent: Thursday, June 23, 2022 10:49 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Network Authentication Service with a second Realm
Hi Joe,
Can you try to run kinit against CORP.COMPANY.COM <
http://corp.company.com/> ,without "-k," so you can test if your service account/binding password is correct.
You can try doing "keytab delete" and re-add using "keytab add" and re-test kinit -k for CORP.COMPANY.COM <
http://corp.company.com/>.
In Navigator for i, check the properties of the realm that you are using the correct KDC servers. For example for me it works only if the KDC are within the same Realm-CORP.COMPANY.COM <
http://corp.company.com/>
Regards,
Tsvetan
On Wed, 22 Jun 2022 at 15:23, Sizer, Joseph via MIDRANGE-L < midrange-l@xxxxxxxxxxxxxxxxxx> wrote:
I have an established and working configuration for single sign-on for
my
V7R3 environment. My company is migrating our Active Directory domain
from "company.com" to "corp.company.com". We use a Microsoft Active
Directory for Kerberos authentication.
In attempting to set up a second Realm of corp.company.com, I went
into IBM Navigator for I and selected Security / Network
Authentication Service / Configuration Wizard and configured the
services necessary for single sign-on for the second realm. I
produced a .bat file which was run on the new corp.company.com domain controller.
I have also attempted to update the Realm properties by going to
Security / Network Authentication Service / Realms and added a second
Realm with the appropriate KDC.
I can see the entries in the keytab list and have verified that the
passwords match between NAS and AD. I have performed a kinit -k
krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx<mailto:
krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx> and gotten a proper
response. SSO is working with a 5250 session. I do not get a positive
response when attempting the same kinit -k command with the
CORP.COMPANY.COM command.
Does anyone have links to information or documentation that would
address adding a second realm to an existing and working NAS/EIM SSO configuration?
Joe Sizer
IBM I Power9 Administrator
Pencor Digital Services
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
Office: 610.826.9080 Ext. 2117
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
