Kerberos problem

S

sdm

Guest
Hi

I am trying to use Kerberos for single signon using a combination of Windows

XP clients to connect to IBM WebSeal and then on to IBM WebSPhere.

Everything seems to be working from the IBM side of things, however on

testing 50 PC's, half fail to connect resulting in a WebSeal error.

IBM assure me that this is a Kerberos issue, I've turned on Kerberos logging

and I don't see any error in the Event log, and I appear to have the session

tickets correctly. I would appreciate any help as to where to look next,

Thanks in Advance,

Stephen

 
D

Dobromir Todorov

Guest
If half of them can authenticate, and the other half - can't, then I'd rule

out DNS, keytabs, and other general Kerberos stuff.

The three things to look at would be:

Time Synchornisation - make sure that client clocks and associated

timezones are skewed less than 5 minutes from the server (this is not very

much likely, as time sync is a required for the client to login to AD in the

first place...)

krbtray.exe - this Windows 2000/2003 Resource Kit tool provides a list of

current tickets, available to the user. Look for tickets to your WebSeal

server for both users that can and can't connect, and compare the results

There are some Kerberos implementation specifics on the Microsoft side -

you may want to check out the following article:

http://www-1.ibm.com/support/docview.wss?r...rss=ct638tivoli

--

---

HTH,

Dobromir

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

"sdm" <stephen.moss@bradford.gov.uk> wrote in message

news:GYudnS3Vfca5h5PVRVnyhAA@eclipse.net.uk...<span style="color:blue">

> Hi

>

> I am trying to use Kerberos for single signon using a combination of

> Windows XP clients to connect to IBM WebSeal and then on to IBM WebSPhere.

> Everything seems to be working from the IBM side of things, however on

> testing 50 PC's, half fail to connect resulting in a WebSeal error.

>

> IBM assure me that this is a Kerberos issue, I've turned on Kerberos

> logging and I don't see any error in the Event log, and I appear to have

> the session tickets correctly. I would appreciate any help as to where to

> look next,

>

> Thanks in Advance,

>

> Stephen

> </span>

 
You must log in or register to reply here.
Top Bottom