Testing network authentication service configuration

To test the network authentication service configuration, request a ticket-granting ticket for your i5/OS^® principal.

After you have created the home directories for each user that will connect to the i5/OS applications, you can test the network authentication service configuration by requesting a ticket-granting ticket for your i5/OS principal. Before requesting a ticket, you should ensure that these common errors are fixed:

• Do you have all the prerequisites for network authentication service?

• Does a home directory exist on the i5/OS operating system for the user who issues the ticket request? See Creating a home directory for details.

• Do you have the correct password for the i5/OS principal? This password was created during network authentication configuration and should be specified in your planning worksheets.

• Have you added the i5/OS principal to the Kerberos server? See Adding i5/OS principals to the Kerberos server for details.

To test network authentication service...

1. On a command line, enter QSH to start the Qshell Interpreter.
2. Enter keytab list to display a list of principals registered in the keytab file. The following results should display:

   Principal: krbsvr400/systema.myco.com@MYCO.COM      
     Key version: 2                                                       
     Key type: 56-bit DES using key derivation                            
     Entry timestamp: 200X/05/29-11:02:58                                 

3. Enter kinit -k krbsvr400/fully qualified host name@REALM NAME to request a ticket-granting ticket from the Kerberos server. For example, krbsvr400/systema.myco.com@MYCO.COM might be a valid principal name for the system. This command verifies that your system has been configured properly and the password in the keytab file matches the password stored on the Kerberos server. If this is successful, the QSH command displays without errors.
4. Enter klist to verify that the default principal is krbsvr400/fully qualified host name @REALM NAME. This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the i5/OS service principal and placed within the credentials cache on the system.

    Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred                                                                     
    Default principal: krbsvr400/systema.myco.com@MYCO.COM  
                                                                               
   Server: krbtgt/MYCO.COM@MYCO.COM              
     Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45                          
   $                                                                           

What do I do next:

Configuring Enterprise Identity Mapping

This task is optional if you are using network authentication service with your own applications. However, this task is recommended for use with IBM-supplied applications to create a single sign-on environment.

Parent topic: