POA errors D090, the authentication token is corrupt, malformed or otherwise invalid.

  • 7024917
  • 09-Nov-2020
  • 09-Nov-2020


GroupWise 18
SUSE Linux Enterprise Server 15


You have configured SSO against Active Directory as described in TID7018598.
However, when you logon in a test Win10 workstation and start GW client, it prompts for a password.
POA log file shows D090 errors like:

13:41:10 73D7 Error: The authentication token is corrupt, malformed or otherwise invalid [D090] in _WpeGssAcceptContext (gss_accept_sec_context=>(0x10000, 0x0))


This is an example how you can troubleshoot this problem on your site.

1. First install Wireshark on the Win10 workstation.

2. Start recording and then also startup a GroupWise client to invoke the problem again.

3. Stop recording LAN trace and save it locally on the workstation. Then open the file in the Wireshark. You can filter probably heavy communications seen in the trace by Statistics | Conversations. Select IPv4 and a raw that corresponds to IP address of the workstation and your Windows server. Then right-click on this raw, Apply as Filter -> Selected and "A<->B" conversation.
Then you will see only a conversation between the workstation and your Windows server as in example bellow:

In the trace you see complains over missing "_kerberos" and also "_ldap" SRV records for a zone "dc._msdcs.pako.com". In this example, in a DNS setup there was only record for my AD domain "pako.com". In order to fix complains seen in the LAN trace, a new zone was created like "dc._msdcs.pako.com" with two SRV records for "_ldap" and "_kerberos":

4. Once this was done, a GW client started and without a password prompt, we were able to login in the mailbox. POA logs did not show any complains anymore:

14:35:01 73D7 C/S Login Windows  Net Id=ker1 ::GW Id=ker1 ::
14:35:01 73D7 Attempting token authentication for user ker1 (ker1)
14:35:05 73D7 Processing update: settings (bag) record (ker1)
14:35:05 73D7 *** APP DISCONNECTED, Tbl Entry=2, Check ID=1604927734
14:36:27 73BF *** CLEANED UP APP. CONN: Tbl Entry=0, Check ID=1604927729

As a conclusion, if you see D090 or D091 errors, take a LAN trace from a Windows workstation and check a communication with the Windows server and see what are complains there. From there you can start correcting or adding missing parts.