Host name resolution considerations

To ensure that Kerberos authentication and host name resolution work properly with your Kerberos-enabled applications, verify that your PCs and your IBM® i platforms resolve the same host name for the system on which the service application resides.

In a Kerberos environment, both the client and the server use some method of host name resolution to determine the host name for the system on which a particular application or service resides. If the IBM i platforms and the PCs use a Domain Name System (DNS) server, it is important that they use the same DNS server to perform host name resolution or, if they use more than one DNS server, that the host names are the same on both DNS servers. If your IBM i platform or PC resolves host names locally (from a local host table or file), they might resolve a host name that is different from the corresponding host name recorded on the DNS server. This might cause network authentication service to fail.

To ensure that Kerberos authentication and host name resolution work properly with your Kerberos-enabled applications, you must verify that your PCs and your IBM i platforms resolve the same host name for the system on which the service application resides. In the following example, this system is called System A.

The following instructions demonstrate how to determine whether the PCs and IBM i platforms resolve the same name for System A. Refer to the example work sheets as you follow the instructions.

You can enter your own information in the blank work sheets when you perform these steps for your Kerberos realm.

Details

DNS server

• Contains data resource records that indicate that IP address 10.1.1.1 correlates to host name systema.myco.com, the IP address and host name for System A.
• Might be used by the PC, System A, or both for host resolution.
  Note: This example demonstrates one DNS server. However, your network might use more than one DNS server. For example, your PC might use one DNS server to resolve host names and your IBM i platform might use a different DNS server. You need to determine how many DNS servers your realm is using for host resolution and adapt this information to your situation.

PC

• Runs Windows operating system.
• Represents both the PC used to administer network authentication service and the PC used by a user with no special authorities for his routine tasks.
• Contains the hosts file which indicates that IP address 10.1.1.1 correlates to host name systema.myco.com.
  Note: You can find the hosts file in this folder:

  • Windows XP, Windows Vista, and Windows 7 operating system: C:\WINDOWS\system32\drivers\etc\hosts

System A

• Runs IBM i 5.4, or later.
• Contains a service application that you need to access using network authentication service (Kerberos authentication).
• Within the Configure TCP (CFGTCP) menu, options 10 and 12 indicate the following information for System A:
  • Option 10 (Work with TCP/IP host table entries):
    • Internet Address: 10.1.1.1
    • Host Name: systema.myco.com
  • Option 12 (Change TCP/IP domain information):
    • Host name: systema
    • Domain name: myco.com
    • Host name search priority: *LOCAL or *REMOTE
      Note: The Host name search priority parameter indicates either *LOCAL or *REMOTE depending on how your network administrator configured TCP/IP to perform host resolution on the system.

You can use the following three work sheets to verify that your PCs and your IBM i platforms resolve the same host name for the system on which the service application resides.