Additional configuration requirements for Kerberos V5 authentication enablement

 

To use Kerberos V5 authentication with iSeries™ NetServer™, you need to configure Enterprise Identity Mapping (EIM) and Network authentication.

Complete all of the following steps before restarting the system:

  1. If you currently have EIM and Network authentication service configured, skip this step and proceed to step 2.

    The EIM configuration wizard gives you the option to configure Network authentication service, if it is not currently configured on your system. In this event, select to configure the Network authentication service, because it is a required service to use Kerberos V5 authentication with iSeries NetServer.

    To configure EIM and Network authentication service...

    1. Open iSeries Navigator and connect to the system with which you want to work.

    2. Expand Network.

    3. Right-click Enterprise Identity Mapping and select Configure.

    4. Follow the instructions in the EIM configuration wizard.

    If Network authentication service is not currently configured on the system, you will be prompted to configure this service during the EIM configuration wizard. You must ensure that you select to add the iSeries NetServer service principals when configuring Network authentication service.

  2. If Network authentication service is already configured on your system, manually add the service principal names to the keytab.

    1. For Windows 2000 clients:

      HOST/<fully qualified name>@<REALM>
      HOST/<qname>@<REALM>
      HOST/<IP Address>@<REALM>

    2. For Windows XP and Windows Server 2003 clients:

      cifs/<fully qualified name>@<REALM>
      cifs/<qname>@<REALM>
      cifs/<IP Address>@<REALM>

    Keytab entries can be added using the Kerberos Key Tab (QKRBKEYTAB) API. On a command line, use the following command string: CALL PGM(QKRBKEYTAB) PARM('ADD' 'HOST/qname') where qname is the fully qualified name or the IP address.

  3. Additional setup is also required on the Windows® 2000 or Windows Server 2003 domain controller that the iSeries NetServer clients use as the Key Distribution Center (KDC).

    Complete the following steps to configure an iSeries NetServer service principal on the Windows KDC:

    1. Install the Support Tools from your Windows server CD.

      Instructions for installing the Support Tools can be found in Microsoft® KB article Q301423 (support.microsoft.com/support/kb/articles/Q301/4/23.ASP) .

    2. Create a new user in the Active Directory.
    3. From a command prompt, use the ktpass.exe support tool to map a service principal to the newly created user. The password used for ktpass should match the password used to create the service principal on the system. Substituting your own parameters for the items in < >, use the appropriate command call as follows.

      For Windows 2000 clients: 

      ktpass -princ HOST/<iSeriesNetServerName@REALM> -mapuser <new user> -pass <password>

      For Windows XP or Windows Server 2003 clients: 

      ktpass -princ cifs/<iSeriesNetServerName>@REALM> -mapuser <new user> -pass <password>

      Only one principal can be mapped to a user. If both HOST/* and cifs/* principals are needed, each must be mapped to a separate Active Directory user.

    4. Repeat steps 3.b and 3.c if you want to access iSeries NetServer using additional principal names.

    5. Restart the system.

 

Parent topic:

Enabling iSeries NetServer support for Kerberos V5 authentication
Related information
Network authentication service Enterprise Identity Mapping (EIM)