Domains
EIM and Windows domains are used to implement a single sign-on environment.
Although both the EIM domain and Windows domain contain the word domain, they have very different definitions. Use the following descriptions to understand the differences between these two types of domains.
- EIM domain
- An EIM domain is a collection of data, which includes the EIM identifiers, EIM associations, and EIM user registry definitions that are defined in that domain. This data is stored in a Lightweight Directory Access Protocol (LDAP) server, such as the IBM® Tivoli® Directory Server for IBM i, which can run on any system in the network, defined in that domain. Administrators can configure systems (EIM clients), such as IBM i, to participate in the domain so that systems and applications can use domain data for EIM lookup operations and identity mapping.
- Windows domain
- In the context of single sign-on, a Windows domain is a Windows network
that contains several systems operating as clients and servers and
a variety of services and applications used by the systems. The following
are some of the components pertinent to single sign-on that you might
find within a Windows domain:
- Realm
- A realm is a collection of machines and services. The main purpose of a realm is to authenticate clients and services. Each realm uses a single Kerberos server to manage the principals for that particular realm.
- Kerberos server
- A Kerberos server, also known as a key distribution center (KDC), is a network service that resides on the Windows server and provides tickets and temporary session keys for network authentication service. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting server. A Kerberos server uses Microsoft Windows Active Directory to store and manage the information in a Kerberos user registry.
- Microsoft Windows Active Directory
- Microsoft Windows Active Directory is an LDAP server that resides on the Windows server along with the Kerberos server. The Active Directory is used to store and manage the information in a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. Therefore, if you are using Microsoft Active Directory to manage your users, you are already using Kerberos technology.