|
Posted by Dobromir Todorov on April 22, 2008, 5:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
If half of them can authenticate, and the other half - can't, then I'd rule
out DNS, keytabs, and other general Kerberos stuff.
The three things to look at would be:
* Time Synchornisation - make sure that client clocks and associated
timezones are skewed less than 5 minutes from the server (this is not very
much likely, as time sync is a required for the client to login to AD in the
first place...)
* krbtray.exe - this Windows 2000/2003 Resource Kit tool provides a list of
current tickets, available to the user. Look for tickets to your WebSeal
server for both users that can and can't connect, and compare the results
* There are some Kerberos implementation specifics on the Microsoft side -
you may want to check out the following article:
http://www-1.ibm.com/support/docview.wss?rs=638&context=SSPREK&dc=DB520&dc=DB560&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en&rss=ct638tivoli
--
---
HTH,
Dobromir
Learn more about Security and Identity Management:
Visit http://www.iamechanics.com
> Hi
>
> I am trying to use Kerberos for single signon using a combination of
> Windows XP clients to connect to IBM WebSeal and then on to IBM WebSPhere.
> Everything seems to be working from the IBM side of things, however on
> testing 50 PC's, half fail to connect resulting in a WebSeal error.
>
> IBM assure me that this is a Kerberos issue, I've turned on Kerberos
> logging and I don't see any error in the Event log, and I appear to have
> the session tickets correctly. I would appreciate any help as to where to
> look next,
>
> Thanks in Advance,
>
> Stephen
>
| 
XML site map