Kerberos LCM


Uninstaller setup failed to initialize. You might not be able to uninstall the product.

Explanation: You do not have enough privileges to install the Kerberos Login Method for NMAS.

Possible Cause: You are either not an administrator or a user with administrator-equivalent rights to install the Kerberos Login Method for NMAS.

Action: Make sure that you log in as administrator or a user with administrator-equivalent rights and install the Kerberos Login Method for NMAS.


NMAS Login Failed Return Code: -1642 (0xFFFFF996) Login Failed

There are a number of possible causes for this error.

Possible Cause: The system time between the hosts are not synchronized.

Action: Synchronize the time between the NMAS Client host, the NMAS Server host, and the KDC host.

Possible Cause: The Realm object or the KDC object has not been configured properly.

Action: Configure all the mandatory attributes of the Realm object and the KDC Object with correct values.

Possible Cause: The User object does not contain the Principal name attribute.

Action: Extend the User object with ForeignPrincipalAux class and specify the krbForeignPrincipalName attribute.

Possible Cause: The hostname or address of the KDC Server has changed in Novell® eDirectoryTM and has not been updated in the krb.con file. (This file will be present in the Client Installed folder.)

Action: Update the krb.con file or delete it, so that the client can re-create this file with the updated values.

Possible Cause: The key of the service principal has not been extracted with the correct encryption type.

Action: Check the NMAS server log. If the encryption type does not match, extract the service principal's key with "encryption type":"salt" combination "des-cbc-crc":"normal" value.

Possible Cause: The KDC Server's host entry might not be present in DNS.

Action: Update the host entry of the KDC Server in DNS.


User Principal in the Kerberos database has expired

Action: Contact your Kerberos administrator to enable the user principal


eDirectory Service Principal in the Kerberos database has expired

Action: Contact your Kerberos administrator to enable the eDirectory service principal


The specified value in the lifetime field is negative or too short

Action: The specified ticket lifetime must be more than the minimum value set by the Kerberos policy. Contact you Kerberos administrator for the minimum ticket lifetime value.


KDC does not support the specified encryption type

Action: For this release, the Kerberos Login Method for NMAS supports only DES-CBC-CRC, DES-CBC-MD5, and DES3-CBC-MD5 encryption types. Contact your Kerberos administrator.


User Principal not found in the Kerberos database

Action: Contact your Kerberos administrator for creating this principal or find out the correct principal name. Principal names are case-sensitive. Ensure that you specify the principal names with the proper case.


eDirectory Service Principal not found in the Kerberos database

Possible Cause: The specified eDirectory service principal was not found in the Kerberos database.

Action: Contact your Kerberos administrator for creating this principal or find out the correct principal name. Principal names are case-sensitive. Ensure that you specify the principal names with the proper case.


User Principal not yet valid - Try again later

Possible Cause: The Kerberos administrator has not yet enabled the user principal.

Action: Contact your Kerberos administrator for enabling this principal.


eDirectory Service Principal not yet valid - Try again later

Possible Cause: The Kerberos administrator has not yet enabled the eDirectory service principal.

Action: Contact your Kerberos administrator for enabling this principal.


User Principal Password in Kerberos database has expired

Possible Cause: The user principal password in the Kerberos database has expired.

Action: Contact your Kerberos administrator to enable the Kerberos password.


Decrypt Integrity check failed. Password might be wrong

Possible Cause: An invalid password has been specified or the specified encryption type is not supported.

Action: You must have either specified a wrong password or the specified encryption type is not supported by the Kerberos Login Method for NMAS. For this release, only the DES-CBC-CRC, DES-CBC-MD5, and DES3-CBC-MD5 encryption types are supported. Contact your Kerberos administrator.


Clock skew is too high between the Client and KDC

Possible Cause: The clock skew is more than 5 minutes between the eDirectory server being contacted, the client machine, and the KDC.

Action: Synchronize the time between the eDirectory server, the client machine, and the KDC used for obtaining tickets.


Invalid format for KDC hostname

Possible Cause: The format of the hostname that is specified is invalid.

Action: Check whether the KDC hostname format specified in the krbHostServer attribute of the KDC object in eDirectory is correct.


Cannot contact any KDC for the requested realm

Possible Cause: The KDC could not be contacted for the requested realm.

Action: The Kerberos Login Method for NMAS is unable to contact KDC because the KDC server might be down. Contact your Kerberos administrator.


The specified KDC hostname/address does not exist

Action: Check whether the KDC hostname/address specified in the krbHostServer attribute of the KDC object in eDirectory is correct.


NMAS Login Failed Return Code: -1634 (0xFFFFF99E) System Resources

There are a few possible causes for this error:

Possible Cause: The system might be running low in memory.

Action: Make sufficient free memory available on the system.

Possible Cause: The krb.con file is in Read-only mode and the required KDC information is not present.

Action: Update the KDC information in the krb.con file or delete it, so that the client can create it with the appropriate entries.