Configuring network authentication service

Here are the prerequisites and procedures for configuring network authentication service on your systems.

Before you configure network authentication service, you should perform the following tasks:
  • Complete all the necessary planning work sheets.
  • Verify that when your PCs and IBM® i platforms perform host name resolution, they resolve the same host names for your IBM i products. Refer to Host name resolution considerations for this task.
  • Configure a Kerberos server on a secure system in your network. If you have configured a Kerberos server in PASE for i, ensure that you have completed all the necessary configuration of the server and client workstations before configuring network authentication on the IBM i platform. See Configuring a Kerberos server in PASE for i for details on configuring a Kerberos server in PASE for i.

    You can also have a Kerberos server configured on Microsoft Windows, Windows server, and z/OS®. See the appropriate documentation that corresponds with the Kerberos configuration for the system that will be used as a Kerberos server.

    Configure the Kerberos server before you configure network authentication service on the IBM i platform.

To configure network authentication service, complete the following steps:

  1. In IBM Navigator for i, expand IBM i Management > Security.
  2. Expand All Tasks > Network Authentication Service and select Configure to start the configuration wizard.
    Note: After you have configured network authentication service, this option will be Reconfigure.
  3. Review the Welcome page for information about what objects the wizard creates. Click Next.
  4. On the Specify realm information page, enter the name of the default realm in the Default realm field. If you are using Microsoft Active Directory for Kerberos authentication, select Microsoft Active Directory is used for Kerberos authentication. Click Next.
  5. On the Specify KDC information page, enter the name of the Kerberos server for this realm in the KDC field and enter 88 in the Port field. Click Next.
  6. On the Specify password information page, select either Yes or No for setting up a password server. The password server allows principals to change passwords on the Kerberos server. If you select Yes, enter the password server name in the Password server field. The password server has the default port of 464. Click Next.
  7. On the Select keytab entries page, select IBM i Kerberos Authentication.
    In addition, you can also create keytab entries for the Directory Server (LDAP), IBM i NetServer, HTTP Server, and Network File System (NFS) Server, if you want these services to use Kerberos authentication.
    Note: Some of these services require additional configuration to use Kerberos authentication.
    Click Next.
  8. On the Create IBM i keytab entry page, enter and confirm a password. Click Next.
    Note: This is the same password you will use when you add the IBM i principals to the Kerberos server.
  9. On the Create batch file page, select Yes to create this file.
    Note: This page only appears if you selected Microsoft Active Directory is used for Kerberos authentication in Step 4 (above).
  10. In the Batch file field, update the directory path. You can click Browse to locate the appropriate directory path and you can edit the path in the field.
  11. In the Include password field, select Yes.
    This ensures that all passwords associated with the IBM i service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file.
    Note: You can also manually add the service principals that are generated by the wizard to Microsoft Active Directory. If you want to know how to manually add the IBM i service principals to Microsoft Active Directory, see Adding IBM i principals to the Kerberos server.
  12. On the Summary page, review the network authentication service configuration details. Click Finish.
Network authentication service is now configured.