Adding both i5/OS service principals to the Kerberos server

 

You can manually add the necessary i5/OS® service principals to the Kerberos server. As this scenario illustrates, you can also use a batch file to add them. You created this batch file in step 2. To use this file, you can use File Transfer Protocol (FTP) to copy the file to the Kerberos server and run it.

To use the batch file to add principal names to the Kerberos server, follow these steps:

  1. Create FTP batch files

    1. On the Windows® 2000 workstation that the administrator used to configure network authentication service, open a command prompt and type ftp kdc1.myco.com. This starts an FTP session on your PC. You will be prompted for the administrator's user name and password.

    2. At the FTP prompt, type lcd "C:\Documents and Settings\All Users\Documents\IBM\Client Access". Press Enter. You should receive the message Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access.

    3. At the FTP prompt, type cd \mydirectory, where mydirectory is a directory located on kdc1.myco.com.

    4. At the FTP prompt, type put NASConfigsystema.bat. You should receive this message: 226 Transfer complete.

    5. Type quit to exit the FTP session.

  2. Run both batch files on kdc1.myco.com

    1. On your Windows 2000 server, open the directory where you transferred the batch files.
    2. Find the NASConfigsystema.bat file and double-click the file to run it.
    3. Repeat steps 1.a through 2.b for NASConfigsystemb.bat.
    4. After each file runs, verify that the i5/OS principal has been added to the Kerberos server by completing the following steps:

      1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers > Users.

      2. Verify the System i™ platform has a user account by selecting the appropriate Windows 2000 domain.

        This Windows 2000 domain should be the same as the default realm name that you specified in the network authentication service configuration.

      3. In the list of users that is displayed, find systema_1_krbsvr400 and systemb_1_krbsvr400. These are the user accounts generated for the i5/OS principal name.

      4. Access the properties on your Active Directory users. From the Account tab, select Account is trusted for delegation.

        This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the i5/OS service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.

 

Parent topic:

Scenario: Enabling single sign-on for i5/OS
Previous topic: Configuring System B to participate in the EIM domain and configuring System B for network authentication service
Next topic: Creating user profiles on Systems A and B