Scenario: Configure network authentication service

Here are the prerequisites and objectives of adding network authentication service to your network.

Situation

You are a network administrator that manages the network for the order receiving department in your company. You recently added a System i™ product to your network to contain several applications for your department. In your network, you manage users with Microsoft^® Windows^® Active Directory on a Microsoft Windows 2000 server. Currently all of your users have workstations that run Microsoft Windows 2000 operating system. You have your own Kerberos-enabled applications that use Generic Security Services (GSS) APIs.

Objectives

In this scenario, MyCo, Inc. wants to add a System i product to an existing realm where a Windows 2000 server acts as the Kerberos server. The System i platform contains several business critical applications that need to be accessed by the correct users. Users need to be authenticated by the Kerberos server to gain access to these applications.

Details

System A

Runs i5/OS^® V5R3, or later, with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- Qshell Interpreter (5722-SS1 Option 30)
- iSeries™ Access for Windows (5722-XE1)
- Network Authentication Enablement (5722-NAE) if you are using V5R4, or later
- Cryptographic Access Provider (5722-AC3) if you are running V5R3
The principal name of System A is krbsvr400/systema.myco.com@MYCO.COM.

Windows 2000 server

Acts as the Kerberos server for the MYCO.COM realm.
The fully qualified host name of the Kerberos server is kdc1.myco.com.

Client PCs

Run Windows 2000.
PC used to administer network authentication service has the following products installed:
- iSeries Access for Windows (5722-XE1)
- iSeries Navigator and the Security and Network subcomponents

Prerequisites and assumptions

All system requirements, including software and operating system installation, have been verified.
To verify that the required licensed programs have been installed, follow these steps:
1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup have been completed.
TCP/IP and basic system security have been configured and tested on each of these servers.
A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.

The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.

Configuration steps

To configure network authentication service on your system, complete these steps.

Completing the planning work sheets
Before configuring network authentication service, complete these planning work sheets.
Configuring network authentication service on System A
To configure network authentication service, follow these steps.
Adding System A principal to the Kerberos server
You can manually add the i5/OS service principal to the Kerberos server. As this scenario illustrates, you can also use the batch file you created in Step 2 to add the principal.
Creating a home directory for users on System A
Each user that connects to i5/OS and i5/OS applications needs a directory in the /home directory. This directory contains the name of the user's Kerberos credentials cache.
Testing network authentication service on System A
To verify that you have configured network authentication service correctly, request a ticket-granting ticket for System A principal.

Parent topic: