Adding both IBM i service principals to the Kerberos server

You can use one of two methods to add the necessary IBM® i service principals to the Kerberos server.

You can manually add the service principals or, as this scenario illustrates, you can use a batch file to add them. You created this batch file in Step 2. To use this file, you can use the IFS download function in IBM Navigator for i to copy the file to the Kerberos server and run it.

Follow these steps to use the batch files to add principal names to the Kerberos server:

Download the batch files created by the wizard to your Kerberos server.

As the administrator on your Windows server do the following:
  1. In IBM Navigator for i on System A, expand IBM i Management > File Systems > Integrated File System > Root > QIBM > UserData > OS400 > iSeriesNavigator > config
  2. Right-click NASConfig_systema.bat and select Download.
  3. Click the Download button on the Confirm Download page.
  4. Save the file, this will put it in your browser's download location. Refer to your browser's documentation for how to customize the download folder location. Usually this is the Downloads folder.
    Note: It is recommended that you now delete the NASConfig_systema.bat file from System A.
  5. Repeat these steps on System B to download NASConfig_systemb.bat to theWindows server.
Run both batch files on kdc1.myco.com
  1. On your Windows server, open the directory where you downloaded the batch files.
  2. Find the NASConfig_systema.bat file and double click the file to run it.
  3. Repeat these steps for NASConfig_systemb.bat.
  4. After each file runs, verify that the IBM i principal has been added to the Kerberos server by completing the following:
    1. On your Windows server, expand Administrative Tools > Active Directory Users and Computers > Users.
    2. Verify the IBM i model has a user account by selecting the appropriate Windows domain.
      Note: This Windows domain should be the same as the default realm name that you specified in the network authentication service configuration.
    3. In the list of users that is displayed, find systema_1_krbsvr400 and systemb_1_krbsvr400. These are the user accounts generated for the IBM i principal name.
    4. (Optional) Access the properties on your Active Directory user. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
      Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.

Now that you have added the IBM i service principals to the Kerberos server, you can create user profiles on the IBM i model.