Here you can find a list with the error messages that you may see while using the Kerberos wizard configuration. In addition, you can find reasons that may have caused the problem and solutions how to fix them.
Ensure all prerequisites are met
Description |
Before you start using the wizard, you should create a service user and configure the SPNego specific settings in the UME. In the first step of the wizard you should confirm this with checking two checkboxes and providing the mapping attribute if you are using SUN Java Virtual Machine (JVM). |
Solution |
Demonstrate that you have created a service user and UME configurations by checking these checkboxes and type the mapping attribute if there is such a text field displayed. |
Realm is missing
Description |
Kerberos Realm field is not filled. |
Solution |
Type the name of Kerberos Realm in the field. |
You must provide information for at least one KDC server
Description |
There are no entries for the Kerberos Distribution Center (KDC) host/port in the KDC table. You should add at least one KDC host/port entry. |
Solution |
Add at least one KDC host in the table. |
Service User Name cannot be empty
Description |
The name of the service user is not entered in the corresponding field. |
Solution |
Enter service user name in the provided field. |
Service User Password is missing
Description |
The password of the service user is not provided. |
Solution |
You should type the service user password. |
Principal name cannot be empty
Description |
The Kerberos Principal Name of the J2EE Engine is not entered. |
Solution |
Enter the Kerberos principal name for the J2EE Engine in the provided field. |
Principal password is missing
Description |
The password for the service user to retrieve the KPN of the J2EE Engine is missing. |
Solution |
Enter the password in the provided field. |
Required data is missing
Description |
Required data to complete the configuration is not entered. |
Solution |
Fill all text fields marked with asterisk. |
Realm in the Principal HTTP/<Principal_Name_of_J2EE_Engine>@<DOMAIN_NAME_1> does not match Kerberos Realm <DOMAIN_NAME_2>
Description |
The Kerberos Realm part of the Principal name is different from the Kerberos Realm name provided for the Kerberos realm configuration. |
Solution |
Check that the names of the Kerberos Realm (or Windows Domain) are identical for the Kerberos Realm configuration and for the provided Kerberos Principal name of the J2EE Engine. |
Failed to connect to LDAP
Description |
It was not able to connect to LDAP server. |
Solution |
Double check the connection properties for your LDAP server. Make sure the LDAP server is able to accept connection requests. |
The account of j2ee-<SID> is disabled
Description |
The account of j2ee-<SID> is disabled. |
Solution |
Enable the account or use a different service user. |
The password of j2ee-<SID> must be reset
Description |
The password of j2ee-<SID> must be reset. |
Solution |
Reset the password or use a different service user. |
The password of j2ee-<SID> has expired
Description |
The password of j2ee-<SID> has expired. |
Solution |
Change the service user password and repeat the step. |
Invalid user or password for LDAP server
Description |
The name or the password of the service user is wrong. |
Solution |
Check if the service user and its password are typed correctly. |
The account of j2ee-<SID> has expired
Description |
The account of j2ee-<SID> has expired. |
Solution |
Change the expiration date or make the account to not expire. |
Service user j2ee-<SID> is not permitted to logon at this time
Description |
Service user j2ee-<SID> is not permitted to logon at this time. |
Solution |
Check the log on configuration for the service user. |
LDAP user is not found - Kerberos Realm is wrong or there is no such Service User
Description |
LDAP user is not found - Kerberos Realm is wrong or there is no such Service User. |
Solution |
Check if the Kerberos realm and service user name are correct. |
Invalid LDAP host or port
Description |
Host or port is not correct. |
Solution |
Check LDAP host and port. |
Unknown LDAP error
Description |
Problem occurs during a search in LDAP. |
Solution |
Check the LDAP server configuration. |
Principal j2ee-<SID> is not valid
Description |
The format for the entered principal is not correct. |
Solution |
The format of the entered service user must be as follows: <samaccountname>@<DOMAIN>, for example j2ee-<SID>@IT.CUSTOMER.DE |
Service User j2ee-<SID> is not found
Description |
When you are using ADS for a user data source data, the reason can be one of the following:
|
Solution |
Check listed reasons for the problem. |
Service principal name for service user j2ee-<SID> does not exist
Description |
No Service Principal Name (SPN) is registered. |
Solution |
From a command line, enter the following command to register service principal names (SPNs) for the J2EE Engine host name and alias and map them to the service user j2ee-<SID>: S etspn -A HTTP/portal.saplabs.sofia j2ee-<SID> |
Service principal names of user j2ee-<SID> are not unique - check Active Directory configuration
Description |
Multiple users found with the same SPN attribute as the service user j2ee-<SID>. |
Solution |
Remove duplicated SPNs. First, you should find the SPNs that are mapped to the user: ldifde -r (samaccountname=j2ee-<SID>) -f out.ldf For every ServicePrincipalName attribute that is listed in the result of previous operation (out.ldf), you should check which users have it: ldifde -r (serviceprincipalname=HTTP/ <DNS_of_J2EE_Engine> ) -f usr.ldf If the SPN is mapped to more that one user than all these users is listed in the usr.ldf file. After you have found which is the SPN that raises the problem you can delete it from the user, which is not appropriate to have it: S etspn -d HTTP/ <DNS_of_J2EE_Engine> j2ee-TEST |
Samaccount name j2ee-<SID> is not unique
Description |
There is more than one user with such a sAMAccountName attribute. |
Solution |
Delete the accounts with a duplicate sAMAccountName attribute or create a new service user with a different sAMAccountName attribute. |
User <user_ID> is resolved in UME but it is not unique
Description |
There are two or more user accounts to correspond to the provided user ID. |
Solution |
In the user data source, remove the account(s) with duplicate user ID. |
User <user_ID> is not found unique
Description |
UME cannot resolve user for the provided user ID. |
Solution |
Check resolution mode and UME configuration. |
UME cannot resolve Kerberos principal name <DNS_of_J2EE_Engine>@<DOMAIN_NAME> - check selected resolution model
Description |
UME cannot resolve provided user. The reason for this is the selected resolution mode. |
Solution |
Check the attributes of selected resolution mode are correctly typed and mapped to physical attribute. |
Failed to create krb5.conf file
Description |
Failed to create krb5.conf file. Probable cause is I/O error. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Failed to set JGSS Accept policy configuration
Description |
Failed to set JGSS Accept policy configuration. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Failed to create keytab file
Description |
Failed to create keytab file. Probable cause is I/O error. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Failed to save policy configuration ticket
Description |
Failed to save policy configuration ticket. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Failed to set JVM Parameters
Description |
Failed to set JVM Parameters |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Failed to adjust login modules in userstore
Description |
The wizard failed to adjust the configuration for required login modules in the user data store. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Internal Error
Description |
Unexpected error has occurred. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |
Unexpected Error: <Error message>
Description |
Unexpected error has occurred. |
Solution |
Apply Note 1332726 and create CSN Message in BC-JAS-SEC. |