Configuring network authentication service

Here are the prerequisites and procedures for configuring network authentication service on your systems.

Before you configure network authentication service, you should perform the following tasks:

• Complete all the necessary planning work sheets.

• Verify that when your PCs and System i™ platforms perform host name resolution, they resolve the same host names for your System i products. Refer to Host name resolution considerations for this task.

• Configure a Kerberos server on a secure system in your network. If you have configured a Kerberos server in i5/OS^® PASE, ensure that you have completed all the necessary configuration of the server and client workstations before configuring network authentication on the System i platform. See Configuring a Kerberos server in i5/OS PASE for details on configuring a Kerberos server in i5/OS PASE.

  You can also have a Kerberos server configured on Microsoft^® Windows^® 2000, Windows Server 2003, and z/OS^®. See the appropriate documentation that corresponds with the Kerberos configuration for the system that will be used as a Kerberos server.

  Configure the Kerberos server before you configure network authentication service on the System i platform.

To configure network authentication service...

1. In iSeries™ Navigator, expand your system > Security.

2. Right-click Network Authentication Service and select Configure to start the configuration wizard.

   After you have configured network authentication service, this option will be Reconfigure.

3. Review the Welcome page for information about what objects the wizard creates. Click Next.

4. On the Specify realm information page, enter the name of the default realm in the Default realm field. If you are using Microsoft Active Directory for Kerberos authentication, select Microsoft Active Directory is used for Kerberos authentication. Click Next.

5. On the Specify KDC information page, enter the name of the Kerberos server for this realm in the KDC field and enter 88 in the Port field. Click Next.

6. On the Specify password information page, select either Yes or No for setting up a password server. The password server allows principals to change passwords on the Kerberos server. If you select Yes, enter the password server name in the Password server field. The password server has the default port of 464. Click Next.

7. On the Select keytab entries page, select the i5/OS Kerberos Authentication. In addition, you can also create keytab entries for the Directory services (LDAP), iSeries NetServer™, and iSeries HTTP server if you want these services to use Kerberos authentication.

   Some of these services require additional configuration to use Kerberos authentication. Click Next.

8. On the Create i5/OS keytab entry page, enter and confirm a password. Click Next.

   This is the same password you will use when you add the i5/OS principals to the Kerberos server.

9. On the Create batch file page, select Yes to create this file.

   This page only appears if you selected Microsoft Active Directory is used for Kerberos authentication in Step 4 (above).

10. In the Batch file field, update the directory path. You can click Browse to locate the appropriate directory path and you can edit the path in the field.

11. In the Include password field, select Yes. This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file.

    You can also manually add the service principals that are generated by the wizard to Microsoft Active Directory. If you want to know how to manually add the i5/OS service principals to Microsoft Active Directory, see Adding i5/OS principals to the Kerberos server.

12. On the Summary page, review the network authentication service configuration details. Click Finish.

1. Adding i5/OS principals to the Kerberos server
   After you configure network authentication service on your System i platform, add your i5/OS principals to the Kerberos server.
2. Creating a home directory
   After you have added the i5/OS principal to the Kerberos server, you need to create a /home directory for each user that will connect to the i5/OS applications.
3. Testing network authentication service configuration
   To test the network authentication service configuration, request a ticket-granting ticket for your i5/OS principal.

Parent topic:

Related concepts
Managing network authentication service