Scenario: Creating a single sign-on test environment

In this scenario, you want to configure network authentication service and EIM to create a basic single sign-on test environment. Use this scenario to gain a basic understanding of what configuring a single sign-on environment involves on a small scale before implementing single sign-on across an entire enterprise.

Situation

You, John Day, are a network administrator for a large wholesale company. Currently you spend much of your time troubleshooting password and user identity problems, such as forgotten passwords. Your network is comprised of several System i® models and a Windows 2000 server, where your users are registered in Microsoft Windows Active Directory. Based on your research, you know that Microsoft Active Directory uses the Kerberos protocol to authenticate Windows users. You also know that the System i platform provides a single sign-on solution based on an implementation of Kerberos authentication, called network authentication service, in conjunction with EIM.

You are excited about the benefits of using single sign-on. However, you want to thoroughly understand single sign-on configuration and usage before you begin using it across your entire enterprise. Consequently, you decide to configure a test environment first.

After considering the various groups in your company, you decide to create the test environment for the Order Receiving department. The employees in the Order Receiving department use multiple applications on one System i model to handle incoming customer orders. Consequently, the Order Receiving department provides an excellent opportunity for you to create a single sign-on test environment that you can use to better understand how single sign-on works and how to plan a single sign-on implementation across your enterprise.

Scenario advantages

  • Allows you to see some of the benefits of single sign-on on a small scale to better understand how you can take full advantage of it before you create a large-scale, single sign-on environment.
  • Provides you with a better understanding of the planning process you need to use to successfully and to more quickly implement single sign-on across your entire enterprise.
  • Minimizes the learning curve of implementing single sign-on across your enterprise.

Objectives

As the network administrator at MyCo, Inc., you want to create a small single sign-on environment for testing that includes a small number of users and a single System i model. You want to perform thorough testing to ensure that user identities are correctly mapped within your test environment. Based on this configuration, you eventually want to expand the test environment to include the other systems and users in your enterprise.

The objectives of this scenario are as follows:

  • The System i model, known as System A, must be able to use Kerberos within the MYCO.COM realm to authenticate the users and services that are participating in this single sign-on test environment. To enable the system to use Kerberos, System A must be configured for network authentication service.
  • The directory server on System A must function as the domain controller for the new EIM domain.
    Note: Refer to Domains to learn how an EIM domain and a Windows 2000 domain both fit into the single sign-on environment.
  • One user profile on System A and one Kerberos principal must each be mapped to a single EIM identifier.
  • A Kerberos service principal must be used to authenticate the user to the IBM® i Access for Windows applications.

Details

The following figure illustrates the network environment for this scenario.

Single sign-on test environment diagram

The figure illustrates the following points relevant to this scenario.

EIM domain data defined for the enterprise

  • An EIM registry definition for System A called SYSTEMA.MYCO.COM.
  • An EIM registry definition for the Kerberos registry called MYCO.COM.
  • An EIM identifier called John Day. This identifier uniquely identifies John Day, the administrator for MyCo.
  • A source association for the jday Kerberos principal on the Windows 2000 server.
  • A target association for the JOHND user profile on System A.

Windows 2000 server

  • Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution center (KDC), for the network.
  • The default realm for the Kerberos server is MYCO.COM.
  • A Kerberos principal of jday is registered with the Kerberos server on the Windows 2000 server. This principal will be used to create a source association to the EIM identifier, John Day.

System A

  • Runs IBM i Version 5 Release 4 (V5R4), or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5761-SS1 Option 12)
    • Qshell Interpreter (5761-SS1 Option 30)
    • IBM i Access for Windows (5761-XE1)
    Note: You can implement this scenario using a server that runs IBM i V5R3, or later. However, some of the configuration steps will be slightly different due to IBM i V5R4 enhancements. 5722 is the product code for IBM i options and products, prior to V6R1.
  • The IBM Directory Server for System i (LDAP) on System A will be configured to be the EIM domain controller for the new EIM domain, MyCoEimDomain.
  • System A participates in the EIM domain, MyCoEimDomain.
  • The principal name for System A is krbsvr400/systema.myco.com@MYCO.COM.
  • The user profile of JOHND exists on System A. You will create a target association between this user profile and the EIM identifier, John Day.
  • The home directory for the IBM i user profile, JOHND, (/home/JOHND) is defined on System A.

Client PC used for single sign-on administration

  • Runs Microsoft Windows 2000 operating system.
  • Runs IBM i Access for Windows (5761-XE1).
  • Runs System i Navigator with the following subcomponents installed:
    • Network
    • Security
  • Serves as the primary logon system for administrator John Day.
  • Configured to be part of the MYCO.COM realm (Windows domain).

Prerequisites and assumptions

Successful implementation of this scenario requires that the following assumptions and prerequisites are met:

  1. All system requirements, including software and operating system installation, have been verified.
    To verify that the licensed programs have been installed, complete the following:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup is complete.
  3. TCP/IP and basic system security are configured and tested on each system.
  4. The directory server and EIM should not be previously configured on System A.
    Note: Instructions in this scenario are based on the assumption that the directory server has not been previously configured on System A. However, if you already configured the directory server, you can still use these instructions with only slight differences. These differences are noted in the appropriate places within the configuration steps.
  5. A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.
    Note: The use of host tables with Kerberos authentication might result in name resolution errors or other problems.

Configuration steps

Note: You need to thoroughly understand the concepts related to single sign-on which include network authentication service and Enterprise Identity Mapping (EIM) concepts, before you implement this scenario. If you are ready to continue with this scenario complete the following steps:
  1. Completing the planning work sheets
    The following planning work sheets are tailored to fit this scenario based on the general single sign-on planning worksheets.
  2. Creating a basic single sign-on configuration for System A
    The EIM Configuration wizard helps you create a basic EIM configuration and also opens the Network Authentication Service wizard to allow you to create a basic network authentication service configuration.
  3. Adding System A service principal to the Kerberos server
    You can use one of two methods to add the necessary IBM i service principal to the Kerberos server.
  4. Creating home directory for John Day on System A
    You need to create a directory in the /home directory to store your Kerberos credentials cache.
  5. Testing network authentication service configuration on System A
    Now that you have completed the network authentication service configuration tasks for System A, you need to test that your configuration works correctly. You can do this by requesting a ticket granting ticket for the System A principal name
  6. Creating an EIM identifier for John Day
    Now that you have performed the initial steps to create a basic single sign-on configuration, you can begin to add information to this configuration to complete your single sign-on test environment.
  7. Testing EIM identity mappings
    You need to verify that EIM mapping lookup operations return the correct results based on the configured associations.
  8. Configuring IBM i Access for Windows applications to use Kerberos authentication
    You must use Kerberos to authenticate before you can use System i Navigator to access your system. Therefore, from your PC, you need to configure IBM i Access for Windows to use Kerberos authentication.
  9. Verifying network authentication service and EIM configuration
    Now that you have verified the individual pieces of your single sign-on configuration and ensured that all setup is complete, you must verify that you have configured EIM and network authentication service correctly and that single sign-on works as expected.
  10. (Optional) Postconfiguration considerations
    Now that you finished this scenario, the only EIM user you have defined that EIM can use is the DN for the LDAP administrator.
Parent topic: Scenarios: Single sign-on
Related tasks:
Testing your application
Configuring single sign-on
Related information:
Host name resolution considerations
Enterprise Identity Mapping (EIM)