ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzaddiseriesaserviceprincipaltothekerberosserver.htm

97 lines
6.4 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Add iSeries A service principal to the Kerberos server" />
<meta name="DC.Relation" scheme="URI" content="rzamzenablesso.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreatehomedirectoryforjohndayoniseriesa.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzaddiseriesaserviceprincipaltothekerberosserver" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Add iSeries A
service principal to the Kerberos server</title>
</head>
<body id="rzamzaddiseriesaserviceprincipaltothekerberosserver"><a name="rzamzaddiseriesaserviceprincipaltothekerberosserver"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Add iSeries A
service principal to the Kerberos server</h1>
<div><div class="section"><p>You can use one of two methods to add the necessary <span class="keyword">i5/OS™</span> service
principal to the Kerberos server. You can manually add the service principal
or, as this scenario illustrates, you can use a batch file to add it. You
created this batch file in Step 2. To use this file, you can use File Transfer
Protocol (FTP) to copy the file to the Kerberos server and run it. </p>
<p>Follow
these steps to use the batch file to add principals to the Kerberos server:</p>
<p><span class="uicontrol">FTP
batch file created by the wizard</span></p>
</div>
<ol><li><span>On the <span class="keyword">Windows<sup>®</sup> 2000</span> workstation
that you used to configure network authentication service, open a command
prompt and type <tt>ftp kdc1.myco.com</tt> to start an FTP session on your
PC. You will be prompted for the administrator's user name and password.</span></li>
<li><span>At the FTP prompt, enter <tt>lcd "C:\Documents and Settings\All
Users\Documents\IBM\Client Access"</tt>. Press Enter. You should receive the
message <tt>Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client
Access</tt>.</span></li>
<li><span>At the FTP prompt, type <tt>cd \<em>mydirectory</em></tt>, where <em>mydirectory</em> is
a directory located on kdc1.myco.com.</span></li>
<li><span>At the FTP prompt, type <tt>put NASConfigiseriesa.bat</tt>. You
should receive this message: <tt>226 Transfer complete</tt>.</span></li>
<li><span>Type <tt>quit</tt> to exit the FTP session.</span></li>
</ol>
<div class="section"><div class="p"><strong>Run the batch file on kdc1.myco.com</strong><ol><li>On your <span class="keyword">Windows 2000</span> server,
open the directory where you transferred the batch file.</li>
<li>Find the <tt>NASConfigiseriesa.bat</tt> file and double-click the file
to run it.</li>
<li>After the file runs, verify that the <span class="keyword">i5/OS</span> principal
has been added to the Kerberos server by completing the following:<ol type="a"><li>On your <span class="keyword">Windows 2000</span> server,
expand <span class="menucascade"><span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active
Directory Users and Computers</span> &gt; <span class="uicontrol">Users</span></span>.</li>
<li>Verify the <span class="keyword">iSeries™</span> has
a user account by selecting the appropriate <span class="keyword">Windows 2000</span> domain. <div class="note"><span class="notetitle">Note:</span> This <span class="keyword">Windows 2000</span> domain should be the same as
the default realm name that you specified in the network authentication service
configuration.</div>
</li>
<li>In the list of users that is displayed, find <strong>iseriesa_1_krbsvr400</strong>.
This is the user account generated for the <span class="keyword">i5/OS</span> principal
name.</li>
<li>(Optional) Access the properties on your Active Directory user. From the <strong>Account</strong> tab,
select the <strong>Account is trusted for delegation</strong>. <div class="note"><span class="notetitle">Note:</span> This optional step
enables your system to delegate, or forward, a user's credentials to other
systems. As a result, the <span class="keyword">i5/OS</span> service
principal can access services on multiple systems on behalf of the user. This
is useful in a multi-tier network.</div>
</li>
</ol>
</li>
</ol>
</div>
<p>Now that you have added the <span class="keyword">iSeries</span> A
service principal to the Kerberos server, you can create a home directory
for John Day.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablesso.htm" title="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise.">Scenario: Create a single signon test environment</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm">Create a basic single signon configuration for iSeries A</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzcreatehomedirectoryforjohndayoniseriesa.htm">Create home directory for John Day on iSeries A</a></div>
</div>
</div>
</body>
</html>