Troubleshooting
Typical User Error Messages
Typical User Error Messages
Your application users may encounter error messages while using the Kerberos Server. The following sections describe typical user error messages, explains why they might occur, and suggests how to avoid them.
Decrypt integrity check failed
Explanation: This message is displayed if an application user requests a ticket from the server and one of the following is true:
•The user entered the wrong password for the realm chosen for the ticket request. There may be a different password for each realm that the user is permitted to access.
•The user entered an incorrect principal name during logon.
•The user principal account has been locked out of the security network and is not authorized to receive tickets from the server.
This message may also appear when a user attempts to change their password. In this case, the above conditions apply to the entries in the kpasswd of UNIX clients.
Based on how the MaxFailAuthCnt parameter in the password policy file is configured, the application user may have had a sufficient amount of failed authentication attempts to be locked from getting another ticket.
Action: Unlock the principal account using an administrative tool.
Password has already been used or is too close to current one
Explanation: This error message appears if the user chooses a password that has been previously used by them. The maximum number of previous passwords to compare the new proposed password against is defined in the MaximumHistory entry in the password policy file. The default is 1.
Action: Instruct the user to choose a password that has not been previously used.
Chapter 9 | 273 |