I did reach out to support and we are working through this. I guess the biggest gap I'm seeing in the documentation is ensuring the SPN is set up correctly and to point to the SPN. I've been able to piece this through other IBM product documentation that uses DB2 for backend repositories, but there is nothing in the DB2 documentation to help point a poor DBA never dealing with Kerberos before where to go for the basics of setting things up. I have read all of the documentation under DB2 that I can find through searches, but it never states any any time to make sure an SPN is set up. According to the errors I'm getting, that appears to be the issue.
Original Message:
Sent: Thu November 02, 2023 01:40 PM
From: Cintia Ogura
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
Hello Freddie,
If you don't want to create a case, you can try to take a look at DMC log files.
You can even turn on tracing, so DMC can add more details in the log:
![](https://dw1.s81c.com//IMWUC/MessageImages/034470311afc4c9cadff53de7458a26c.png)
Connection issues are usually written in the DS_System log files.
I hope that helps!
------------------------------
Cintia Ogura
Original Message:
Sent: Tue October 31, 2023 03:17 PM
From: Cintia Ogura
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
Hello Freddie,
Create a case with IBM support and send us the DMC collector for an initial investigation?
Here are the instructions:
https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-exchanging-information
------------------------------
Cintia Ogura
Original Message:
Sent: Tue October 31, 2023 03:05 PM
From: Freddie Callander
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
Screen Shot
------------------------------
Freddie Callander
Original Message:
Sent: Tue October 31, 2023 03:03 PM
From: Freddie Callander
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
I followed the article, stopped the console, made the jvm.options change (finally found the file), restarted teh console, tried to connect and same error
Fail to establish connection with the connection profile DATABASE.Caught javax.security.auth.login.LoginException while using JAASLogin. See attached Throwable for details.
------------------------------
Freddie Callander
Original Message:
Sent: Tue October 31, 2023 01:51 PM
From: Cintia Ogura
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
Hello Freddie,
Quick question, have you tried to follow the instructions from the DMC manual at:
https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-resolving-kerberos-connection-issues
------------------------------
Cintia Ogura
Original Message:
Sent: Tue October 31, 2023 01:47 PM
From: Freddie Callander
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
The instance the database is set up on is AUTHENTICATION KERBEROS due to an application requirement. If I try clear username and password, I get the error "Fail to establish connection with the connection profile DATABASE.Connection authorization failure occurred. Reason: Security mechanism not supported."
The only logs I get from the Console application are logs in my AppData\Roaming\IBM DB2 Data Management Console \Logs folder which tell me nothing
I have looked through the installation_path/bin/logs log files and cannot see any connection errors occurring.
I have queried every log file on the drive for the DATABASE name and the only location it occurs is in C:\Program Files\IBM Db2 Data Management Console\resources\bin\addons\drs\drs-agent\logs
------------------------------
Freddie Callander
Original Message:
Sent: Tue October 31, 2023 02:45 AM
From: Sahan Mendis
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
I have monitored database in a separate domain using clear username and password. Are you able to use that method?
You can collect the logs of DMC by going to help>export logs in the IBM data Management Console App (not web app) or you can go to the installation_path/bin/logs for more logs
And what information you could see in "See attached Throwable for details" as the error message.
------------------------------
Sahan Mendis
Original Message:
Sent: Mon October 30, 2023 12:47 PM
From: Freddie Callander
Subject: DMC 3.1.11 - Kerberos setup - trusted domains
I was hoping someone would be able to help lend a hand on what I'm missing in the documentation.
Here is the scenario I have;
a) DMC is on it's own server in domain D1 - the repository is on a different server
b) DMC needs to talk to over 100 other domains as that is where our customer databases reside
c) I'm trying to set up a Connection Profile in DMC for a database in domain D2. I've tried securityMechanism=11 and I've tried Kerberos from the drop down menu and both come back with an error "DATABASE.Caught javax.security.auth.login.LoginException while using JAASLogin. See attached Throwable for details."
d) I still haven't found the logs that hold the error and there is no krb5.ini file anywhere on the system.
e) This is Windows to Windows connections
Any help would be appreciated.
Thank you
------------------------------
Freddie Callander
------------------------------