Adding both IBM i service principals to the Kerberos server
You can use one of two methods to add the necessary IBM® i service principals to the Kerberos server.
You can manually add the service principals or, as this scenario illustrates, you can use a batch file to add them. You created this batch file in Step 2. To use this file, you can use the IFS download function in IBM Navigator for i to copy the file to the Kerberos server and run it.
Follow these steps to use the batch files to add principal names to the Kerberos server:
Download the batch files created by the wizard to your Kerberos server.
As the administrator on your Windows server do the following:
Run both batch files on kdc1.myco.com
- On your Windows server, open the directory where you downloaded the batch files.
- Find the NASConfig_systema.bat file and double click the file to run it.
- Repeat these steps for NASConfig_systemb.bat.
- After each file runs, verify that the IBM i principal has been
added to the Kerberos server by completing the following:
- On your Windows server, expand .
- Verify the IBM i model
has a user account by selecting the appropriate Windows domain. Note: This Windows domain should be the same as the default realm name that you specified in the network authentication service configuration.
- In the list of users that is displayed, find systema_1_krbsvr400 and systemb_1_krbsvr400. These are the user accounts generated for the IBM i principal name.
- (Optional) Access the properties on your Active Directory user.
From the Delegation tab, select Trust this user for delegation
to any service (Kerberos only). Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
Now that you have added the IBM i service principals to the Kerberos server, you can create user profiles on the IBM i model.