Show TOC

TroubleshootingLocate this document in the navigation structure

Use

Here you can find a list with the error messages that you may see while using the Kerberos wizard configuration. In addition, you can find reasons that may have caused the problem and solutions how to fix them.

Ensure all prerequisites are met

Description

Before you start using the wizard, you should create a service user and configure the SPNego specific settings in the UME.

In the first step of the wizard you should confirm this with checking two checkboxes and providing the mapping attribute if you are using SUN Java Virtual Machine (JVM).

Solution

Demonstrate that you have created a service user and UME configurations by checking these checkboxes and type the mapping attribute if there is such a text field displayed.

Realm is missing

Description

Kerberos Realm field is not filled.

Solution

Type the name of Kerberos Realm in the field.

You must provide information for at least one KDC server

Description

There are no entries for the Kerberos Distribution Center (KDC) host/port in the KDC table. You should add at least one KDC host/port entry.

Solution

Add at least one KDC host in the table.

Service User Name cannot be empty

Description

The name of the service user is not entered in the corresponding field.

Solution

Enter service user name in the provided field.

Service User Password is missing

Description

The password of the service user is not provided.

Solution

You should type the service user password.

Principal name cannot be empty

Description

The Kerberos Principal Name of the J2EE Engine is not entered.

Solution

Enter the Kerberos principal name for the J2EE Engine in the provided field.

Principal password is missing

Description

The password for the service user to retrieve the KPN of the J2EE Engine is missing.

Solution

Enter the password in the provided field.

Required data is missing

Description

Required data to complete the configuration is not entered.

Solution

Fill all text fields marked with asterisk.

Realm in the Principal HTTP/<Principal_Name_of_J2EE_Engine>@<DOMAIN_NAME_1> does not match Kerberos Realm <DOMAIN_NAME_2>

Description

The Kerberos Realm part of the Principal name is different from the Kerberos Realm name provided for the Kerberos realm configuration.

Solution

Check that the names of the Kerberos Realm (or Windows Domain) are identical for the Kerberos Realm configuration and for the provided Kerberos Principal name of the J2EE Engine.

Failed to connect to LDAP

Description

It was not able to connect to LDAP server.

Solution

Double check the connection properties for your LDAP server. Make sure the LDAP server is able to accept connection requests.

The account of j2ee-<SID> is disabled

Description

The account of j2ee-<SID> is disabled.

Solution

Enable the account or use a different service user.

The password of j2ee-<SID> must be reset

Description

The password of j2ee-<SID> must be reset.

Solution

Reset the password or use a different service user.

The password of j2ee-<SID> has expired

Description

The password of j2ee-<SID> has expired.

Solution

Change the service user password and repeat the step.

Invalid user or password for LDAP server

Description

The name or the password of the service user is wrong.

Solution

Check if the service user and its password are typed correctly.

The account of j2ee-<SID> has expired

Description

The account of j2ee-<SID> has expired.

Solution

Change the expiration date or make the account to not expire.

Service user j2ee-<SID> is not permitted to logon at this time

Description

Service user j2ee-<SID> is not permitted to logon at this time.

Solution

Check the log on configuration for the service user.

LDAP user is not found - Kerberos Realm is wrong or there is no such Service User

Description

LDAP user is not found - Kerberos Realm is wrong or there is no such Service User.

Solution

Check if the Kerberos realm and service user name are correct.

Invalid LDAP host or port

Description

Host or port is not correct.

Solution

Check LDAP host and port.

Unknown LDAP error

Description

Problem occurs during a search in LDAP.

Solution

Check the LDAP server configuration.

Principal j2ee-<SID> is not valid

Description

The format for the entered principal is not correct.

Solution

The format of the entered service user must be as follows: <samaccountname>@<DOMAIN>, for example j2ee-<SID>@IT.CUSTOMER.DE

Service User j2ee-<SID> is not found

Description

When you are using ADS for a user data source data, the reason can be one of the following:

  • Service user s not under the configured User Path in UME

  • The mapping attribute does not exist in the UME data source

  • The UME attribute is mapped to wrong physical attribute

    In case you are using DB for a user data source the reason can be one of the following:

  • Service user is not replicated (manually)

  • Mapping attribute is not added or is set to wrong value

Solution

Check listed reasons for the problem.

Service principal name for service user j2ee-<SID> does not exist

Description

No Service Principal Name (SPN) is registered.

Solution

From a command line, enter the following command to register service principal names (SPNs) for the J2EE Engine host name and alias and map them to the service user j2ee-<SID>:

S etspn -A HTTP/portal.saplabs.sofia j2ee-<SID>

Service principal names of user j2ee-<SID> are not unique - check Active Directory configuration

Description

Multiple users found with the same SPN attribute as the service user j2ee-<SID>.

Solution

Remove duplicated SPNs. First, you should find the SPNs that are mapped to the user:

ldifde -r (samaccountname=j2ee-<SID>) -f out.ldf

For every ServicePrincipalName attribute that is listed in the result of previous operation (out.ldf), you should check which users have it:

ldifde -r (serviceprincipalname=HTTP/ <DNS_of_J2EE_Engine> ) -f usr.ldf

If the SPN is mapped to more that one user than all these users is listed in the usr.ldf file.

After you have found which is the SPN that raises the problem you can delete it from the user, which is not appropriate to have it:

S etspn -d HTTP/ <DNS_of_J2EE_Engine> j2ee-TEST

Samaccount name j2ee-<SID> is not unique

Description

There is more than one user with such a sAMAccountName attribute.

Solution

Delete the accounts with a duplicate sAMAccountName attribute or create a new service user with a different sAMAccountName attribute.

User <user_ID> is resolved in UME but it is not unique

Description

There are two or more user accounts to correspond to the provided user ID.

Solution

In the user data source, remove the account(s) with duplicate user ID.

User <user_ID> is not found unique

Description

UME cannot resolve user for the provided user ID.

Solution

Check resolution mode and UME configuration.

UME cannot resolve Kerberos principal name <DNS_of_J2EE_Engine>@<DOMAIN_NAME> - check selected resolution model

Description

UME cannot resolve provided user. The reason for this is the selected resolution mode.

Solution

Check the attributes of selected resolution mode are correctly typed and mapped to physical attribute.

Failed to create krb5.conf file

Description

Failed to create krb5.conf file. Probable cause is I/O error.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Failed to set JGSS Accept policy configuration

Description

Failed to set JGSS Accept policy configuration.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Failed to create keytab file

Description

Failed to create keytab file. Probable cause is I/O error.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Failed to save policy configuration ticket

Description

Failed to save policy configuration ticket.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Failed to set JVM Parameters

Description

Failed to set JVM Parameters

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Failed to adjust login modules in userstore

Description

The wizard failed to adjust the configuration for required login modules in the user data store.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Internal Error

Description

Unexpected error has occurred.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.

Unexpected Error: <Error message>

Description

Unexpected error has occurred.

Solution

Apply Note 1332726 and create CSN Message in BC-JAS-SEC.