Applicable if the application server and front-end Web server are on separate machines.
The iConsole uses Microsoft's Kerberos Authentication to allow the credentials of the user accessing the iConsole to be passed to the CMS for logon (either for direct use if using CA DataMinder single sign-on functionality, or to record the native user name being used to access the CMS), using Windows Delegation. For this process to work if the iConsole front-end server and application server are on separate machines, you mst adhere to the following requirements:
If you do not adhere to these requirements, this can result in the error ‘You are not authorized to connect to the CA DataMinder iConsole’, with a 401 error code.
Is Kerberos Active?
To check whether Kerberos is active on an iConsole server, run a netdom command:
netdom verify /d:<domain> <server>
netdom verify /d:unipraxis.com ux-hardy-as
Note: netdom is not installed by default, but is available from support.cab in the \Support\Tools folder on your Windows distribution media.
If Kerberos is active, this command generates a confirmation, such as:
The secure channel from UX-HARDY-AS to the domain UNIPRAXIS.COM has been verified. The connection is with the machine \\UX‑SRVR.UNIPRAXIS.COM. The command completed successfully.
if Kerberos is not active, check for Kerberos entries in the Security event log in Windows Event Viewer. The most common local problem is timing; the server clock must be within five minutes of the domain controller clock. Other Kerberos problems typically affect the entire domain or require domain administrator permissions. For example, if Kerberos cannot authenticate a user because their account has become corrupt in Active Directory, the account must be reset on the domain controller.
|
Copyright © 2014 CA.
All rights reserved.
|
|