Filter
Top Products
Troubleshooting
General Errors
Chapter 11304
Locking and Unlocking Accounts
If a user or a service principal exceeds the maximum number of failed
authentication attempts allowed by the password policy file, the account
is locked and the principal is not issued a ticket. Alternatively, a security
administrator may have purposefully locked a principal account so that
it cannot be used. In each case, the principal remains in the principal
database but is unable to use the Kerberos services.
To unlock a principal account, use the graphical user interface or
command-line administrator. In the HP Kerberos
Administrator>Principal Information>Principals tab, clear the
Lock Principal checkbox.
You must have the correct administrative permissions (i for Inquire
About Principals and m for Modify Principals) to lock or unlock an
account.
Invoke the command-line administrator, kadmin and use the mod
[principal] attr {lock | unlock} command.
Clock Synchronization
While client clocks are not required to be closely synchronized with the
security server or application server, HP recommends that you loosely
synchronize all client clocks with the server.
If the client clock is outside the permitted clock skew of 5 minutes, the
log file on the client system will contain the entries that indicate the
condition.
To eliminate the warnings, synchronize the client clock with the server to
within 5 minutes.
NOTE You must closely synchronize all security server and application server
clocks. HP recommends that you implement a secured time service to
ensure that all clocks are synchronized.