Adding the principals for endpoint systems to the Windows 2000 domain

 

Here are the steps for adding principals for endpoint systems.

  1. System B steps

    1. On your Windows® 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.

      This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.

    3. In the Name field, enter systemb to identify the System i™ platform to this Windows domain. This adds a new user account for System B.
    4. Access the properties on the Active Directory user systemb. From the Account tab, select Account is trusted for delegation. This allows the i5/OS® service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter the following command:

      ktpass -mapuser systemb -pass systema123 -princ krbsvr400/systemb.myco.com@MYCO.COM -mapop set

  2. System C steps

    1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.

      This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.

    3. In the Name field, enter systemc to identify the System i platform to this Windows domain. This adds a new user account for System C.
    4. Access the properties on the Active Directory user systemc. From the Account tab, select Account is trusted for delegation. This allows the i5/OS service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter the following command:

      ktpass -mapuser systemc -pass systema123 -princ krbsvr400/systemc.myco.com@MYCO.COM -mapop set

  3. System D steps

    1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.

      This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.

    3. In the Name field, enter systemd to identify the System i platform to this Windows domain. This adds a new user account for System D.
    4. Access the properties on the Active Directory user systemd. From the Account tab, select Account is trusted for delegation. This allows the i5/OS service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter the following command:

      ktpass -mapuser systemd -pass systemd123 -princ krbsvr400/systemd.myco.com@MYCO.COM -mapop set

You have completed the propagation of the network authentication service configuration to multiple systems. To configure the Management Central server to take advantage of network authentication service, you need to perform some additional tasks. See Scenario: Using Kerberos authentication between Management Central servers for details.

 

Parent topic:

Scenario: Propagating network authentication service configuration across multiple systems
Previous topic: Configuring network authentication service on System D