Single Sign-On Configuration

 

 

Item	Information to Collect	Result
A	What is the name of the Kerberos default realm to which the IBMi will belong?
B	What is the KDC for this Kerberos default realm?
C	What is your KDC's fully qualified host name?
D	What is the port on which the KDC listens?
E	What is name of the password server for this KDC?
F	What is the port of your password server?
G	What is the password for your IBMi service principal(s)? **
The following items will be used to create the IBMi principal on the KDC:
H	What is the name of the Kerberos principal?	krbsvr400 (when creating the IBMi principal, this name must be used)
I	What is your IBMi host name?
J	What is the fully qualified host name of the IBMi?
K	What is the name of the Kerberos default realm to which the IBMi server belongs? (Default = domain name converted to uppercase)
L	What is the full name of the principal? (krbsvr400/fully.qualified.host.name@YOUR.KERBEROS.REALM)
M	What is the password / shared secret for this principal (must be the same as Item G)?
The following items will be used to configure Enterprise Identity Mapping (EIM):
N	Which type of basic EIM configuration do you want to create on your IBMi system? o Join an existing domain. o Create and join a new domain.
O	Where do you want to configure your EIM domain, or what EIM domain do you want to join?
P	What is the name of the EIM domain you want to create or join?
Q	Do you want to specify a parent DN for the EIM domain? If yes, specify the parent DN.
R	What is the administrator distinguished name (DN) on the LDAP server which will be used as the EIM domain controller?
S	What is the administrator password on the LDAP server that will be used as the EIM domain controller? ***

Notes:
1. This password must comply with any password restrictions on the KDC
2. If you do not know the administrator password, this can be reset with the command CHGDIRSVRA on R610, or in Navigator for release 540 and below.

1. Open a DOS window and type nslookup.

2. Once in the nslookup shell, type the name of the IBM i system name that you will be connecting to and press Enter:



3. Do the same for the Windows Active Directory server:



4. Check for the PTR records by typing set type=ptr and pressing Enter. Then type the IP address that was returned for the IBM i name earlier.
You should have a record like the above example.

NOTE: Prior to configuring Enterprise Identity Mapping and Network Authentication Service it is important to make sure that the LDAP server on the system is functioning. The LDAP server is started using the following command:

STRTCPSVR SERVER(*DIRSRV)

The default LDAP instance is QUSRDIR and we we would see a job with this name running in the QSYSWRK subsystem. If this server will not start properly this issue needs to be resolved prior to any further configuration. If the server has not been used on the system, one option to fix it would be to wipe out any existing configuration and reconfigure the server fresh. The following article describes how to perform this step:
 

Complete LDAP / Directory Server Cleanup and Reconfigure

A. Open System i Navigator, go to Network > Enterprise Identity Mapping > Configuration, right click, and select Configure:



B. For new set up, select Create and join a new domain; if you have EIM configured locally or on another system already and want to use that for the mapping, select Join an existing domain:



C. Select the location of the EIM Domain controller:



D. When prompted to configure Network Authentication Service, select Yes:



E. Type in the name of the Kerberos realm (Use your own realm name here. Item A from the planning worksheet):



F. Fill in the name of the KDC for this realm (This should be the fully qualified host.domain name of your KDC. In most cases this is a Windows Active Directory server. Items B - D from the planning worksheet):



G. Type the name of the password server for the realm (This is generally the same as the previous step. Items E and F from the planning worksheet):



H. Check each service you would like to enable to use Single Sign On. For System i Access and Navigator, the IBM i/OS Kerberos Authentication is used:



I. Type the password that is going to be used for each principle that was selected previously (Item G from the planning worksheet):



J. To make the addition of the Active Directory principle, a batch file is created to run on the AD server; you can browse to the path you want to save this file to: This .bat file must be executed on the remote Active Directory server.


K. Type the DN password for the EIM domain controller (Items R and S from the planning worksheet):



L. Specify the name of the EIM domain you want to use:



M. If you want to specify a parent DN for the EIM domain, select it here:



N. Be sure each registry is selected, and verify that the box for Kerberos user identities are case sensitive is left unchecked:



O. Type the DN password for the EIM domain controller (Items R and S from the planning worksheet):

 

A. Go to QShell by using the QSH command from the 5250 emulation and type the command KEYTAB LIST.



B. Page up to the top and verify that you have krbsvr400/<fully qualified domain name>@<UPPER CASE WINDOWS REALM> similar to the example above. Use the copy function in the emulator to copy out this entire principal name and, from the command line in QSH, type kinit -k and paste in the krbsvr400 principal you just copied. Press Enter.



C. If everything is set up correctly, the only thing returned after the kinit -k command should be a $ prompt as seen in the screenshot above.

A. Log onto EIM Domain Management under Network > Enterprise Identity Mapping > Domain Management > <your EIM domain>, right click on Identifiers, and select New Identifier:


B. Enter in the name of the user identifier, and click OK:



C. Right click on the new Identifier, select Properties, go to the Associations tab, and click Add:



D. Add the IBM i registry and IBM i user profile, select Target for the Association type, and click OK:



E. Click the Add button again from the Associations tab, click the Browse from the Registry area, and select the Kerberos realm that was configured in Step 1:


F. Type in the Windows user profile and select Source from the Association type: