Troubleshooting
General Errors
Locking and Unlocking AccountsIf a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal is not issued a ticket. Alternatively, a security administrator may have purposefully locked a principal account so that it cannot be used. In each case, the principal remains in the principal database but is unable to use the Kerberos services.
To unlock a principal account, use the graphical user interface or
You must have the correct administrative permissions (i for Inquire About Principals and m for Modify Principals) to lock or unlock an account.
Invoke the
| Clock Synchronization |
| While client clocks are not required to be closely synchronized with the |
| security server or application server, HP recommends that you loosely |
| synchronize all client clocks with the server. |
| If the client clock is outside the permitted clock skew of 5 minutes, the |
| log file on the client system will contain the entries that indicate the |
| condition. |
| To eliminate the warnings, synchronize the client clock with the server to |
| within 5 minutes. |
|
|
NOTE | You must closely synchronize all security server and application server |
| clocks. HP recommends that you implement a secured time service to |
| ensure that all clocks are synchronized. |
|
|
304 | Chapter 11 |