Kerberos problem

  • Thread starter Thread starter sdm
  • Start date Start date
S

sdm

Hi

I am trying to use Kerberos for single signon using a combination of Windows
XP clients to connect to IBM WebSeal and then on to IBM WebSPhere.
Everything seems to be working from the IBM side of things, however on
testing 50 PC's, half fail to connect resulting in a WebSeal error.

IBM assure me that this is a Kerberos issue, I've turned on Kerberos logging
and I don't see any error in the Event log, and I appear to have the session
tickets correctly. I would appreciate any help as to where to look next,

Thanks in Advance,

Stephen
 
If half of them can authenticate, and the other half - can't, then I'd rule
out DNS, keytabs, and other general Kerberos stuff.

The three things to look at would be:
* Time Synchornisation - make sure that client clocks and associated
timezones are skewed less than 5 minutes from the server (this is not very
much likely, as time sync is a required for the client to login to AD in the
first place...)
* krbtray.exe - this Windows 2000/2003 Resource Kit tool provides a list of
current tickets, available to the user. Look for tickets to your WebSeal
server for both users that can and can't connect, and compare the results
* There are some Kerberos implementation specifics on the Microsoft side -
you may want to check out the following article:
http://www-1.ibm.com/support/docview.wss?r...rss=ct638tivoli

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"sdm" wrote in message
news:GYudnS3Vfca5h5PVRVnyhAA@eclipse.net.uk...
> Hi
>
> I am trying to use Kerberos for single signon using a combination of
> Windows XP clients to connect to IBM WebSeal and then on to IBM WebSPhere.
> Everything seems to be working from the IBM side of things, however on
> testing 50 PC's, half fail to connect resulting in a WebSeal error.
>
> IBM assure me that this is a Kerberos issue, I've turned on Kerberos
> logging and I don't see any error in the Event log, and I appear to have
> the session tickets correctly. I would appreciate any help as to where to
> look next,
>
> Thanks in Advance,
>
> Stephen
>
 
Back
Top