Network authentication service

Throughout this documentation, the generic term Kerberos server is used.

A user is authenticated with a principal and a password that is stored in the Kerberos server. After a principal is authenticated, the Kerberos server issues a ticket-granting ticket (TGT) to the user. When a user needs access to an application or a service on the network, the Kerberos client application on the user's PC sends the TGT back to the Kerberos server to obtain a service ticket for the target service or application. The Kerberos client application then sends the service ticket to the service or application for authentication. When the service or application accepts the ticket, a security context is established and the user's application can then exchange data with a target service. Applications can authenticate a user and securely forward his or her identity to other services on the network. When a user is known, separate functions are needed to verify the user's authorization to use the network resources.

Network authentication service implements the following specifications:

• Kerberos Version 5 protocol Request for Comment (RFC) 1510

• Many of the de facto standard Kerberos protocol application programming interfaces (APIs) prevalent in the industry today

• Generic Security Service (GSS) APIs as defined by RFCs 1509, 1964, and 2743

The i5/OS^® implementation of network authentication service operates with authentication, delegation, and data confidentiality services compliant with these RFCs and Microsoft's Windows 2000 Security Service Provider Interface (SSPI) APIs. Microsoft^® Windows Active Directory uses Kerberos as its default security mechanism. When users are added to Microsoft Windows Active Directory, their Windows identification is equivalent to a Kerberos principal. Network authentication service provides for interoperability with Microsoft Windows Active Directory and its implementation of the Kerberos protocol.

• What's new for V5R4
  This topic highlights changes to network authentication service for V5R4.

• Printable PDF
  Use this to view and print a PDF of this information.

• Concepts
  Network authentication service supports Kerberos protocols and Generic Security Service (GSS) APIs that provide user authentication in a network.

• Scenarios: Using network authentication service in a Kerberos network
  These are common scenarios where you use network authentication service to allow the i5/OS operating system to participate in a Kerberos network.

• Planning network authentication service
  Before implementing network authentication service or a Kerberos solution on your network, it is essential to complete the necessary planning tasks.

• Configuring network authentication service
  Network authentication service allows the System i product to participate in an existing Kerberos network. Network authentication service assumes that you have a Kerberos server configured on a secure system in your network.

• Managing network authentication service
  After you have configured network authentication service, you can request tickets, work with key table files, and administer host name resolution. You can also work with credentials files and back up configuration files.

• Troubleshooting
  This troubleshooting information includes common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.

• Network authentication service commands
  These commands help you configure and use network authentication service.

• Related information for network authentication service
  Listed here are information center topics as well as external Web sites that relate to network authentication service.