HP UX Kerberos Data Security Software manual Authentication Problems Occur

Authentication Problems Occur

The out-of-sync condition may first appear as an intermittent

authentication failure. In this scenario, a prinicpal that changes the

password, perhaps after the password expires, is not able to

authenticate, even though the password change is successful. The

principal may continue to attempt authentication, and may even succeed

if the authentication attempt is sent to the primary server. However, if

the principal fails on one server as many times as specified by the

MaxFailAuthCnt parameter in the password policy file, that principal is

locked out.

HP’s authentication servers do not issue different messages for different

NOTE

situations that cause authentication failure. For security reasons, the

error message to the user is the same for bad password, bad user, or

locked user.

Failure to authenticate can be caused by a variety of situations, such as

incorrectly typed passwords, locked users, and so on. This situation alone

does not suggest an out-of-sync condition; further clues are needed.

Administration Appears Normal

The next clue is that administration continues to function normally.

Continuing the scenario in which a principal who changed his or her

password fails to authenticate, the principal reports the problem to the

system administrator. The administrator then uses one of the

administration tools to unlock the user, if necessary, and change the

user’s password to some simple value. The administrator then gives the

newest password to the user.

The principal may then fail to authenticate with the newest password

and will report the problem to the administrator. They may repeat the

process, but it will not solve the problem. This is another clue that the

databases are out of sync and propagation has stopped. If the principal is

able to authenticate once, but not again, that is another clue.

232

Chapter 7