The SPN account of TSM server has been locked in the AD domain lead to AD domain user authentication failed

Publication Date:  2012-11-08 Views:  187 Downloads:  0
Issue Description
In TSM system environment, the AD domain authentication user of the authentication system reflects AD domain user authenticate failure, indicating that the "get AD ticket failure".
Alarm Information
None.
Handling Process
1, check the time of the TSM server and AD domain controller, the time interval is less than 2 minutes, do not satisfy condition that the times are not synchronous;
2, from the terminal and TSM server Ping domain controller’s domain name, analytic is normal, and can Ping pass, namely the AD domain control address DNS analytic normal, IP can reach;
3, check the configuration of AD domain controller, found the TSM server synchronized SPN account has been locked;
4, asking for the reasons to the client, the customer recalled that the system has done an reinforcement before the failure, should have changed the domain controller related safety strategy, the SPN account wrongly considers there is no account and locks manually;
Root Cause
1, TSM server is inaccessible to the AD domain controller;
2, AD domain controller does not synchronize with TSM server time;
3, AD domain controller’s address DNS analytic failure;
4, the client IP is inaccessible to AD domain controller;
5, AD domain configuration problem;
Suggestions
After unlocked the SPN account of TSM server manually, AD domain user authenticated normally, problem is solved.

END