Content Platform Engine, Version 5.2.1            

Identity errors

You can recover from conditions where user names and passwords are not configured correctly.

Symptoms

Pre-authentication information was invalid (24)

Integrity check on decrypted field failed (31)

Cannot get credential for principal default service

Resolving the problem

The most likely error is that the user name and password in the keytab does not exactly match the user name and password of the Identity user account given when creating the account. Notice that this match is case-sensitive for the user name, the domain name (which must be uppercase in the ktpass or ktab command) and the password. Try re-running ktpass or ktab and re-establishing the password paying close attention to the upper and lower case used. Also validate the name of the identity account and reset its password.

This could also mean that the keytab file was not found for the user account (in the FNCEWS_myce01@MYDOM.EXAMPLE.COM form), but there should also be an error that occurred prior to this, stating that the user in keytab could not be found.

This could mean that the Identity user account mapped to the SPN which the client used does not match the user account that the Content Platform Engine's KrbServiceLoginModule used. A possible reason for this is that the login module's serviceAccountName is not set to the correct identity account name (not the SPN) for a cluster. For example, the name should be FNCEWS_ce01 and not FNCEWS/ce01.

Another possibility is that Microsoft's ktpass utility was used to map an SPN to the identity account. This utility changes the User logon name (also known as the User Principal Name) field, and doing so automatically corrupts the password for that account. The solution for this is to reset the identity account's password and User logon name.

There is also the possibility that the system clocks are too far out of sync; see Clock skew too great (37).



Last updated: March 2016
p8psn056.htm

© Copyright IBM Corporation 2016.