ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzaddbothos400serviceprincipalstothekerberosserver.htm

100 lines
7.1 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Add both i5/OS service principals to the Kerberos server" />
<meta name="DC.Relation" scheme="URI" content="rzamzenablessoos400.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateuserprofilesoniseriesaandiseriesb.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzaddbothos400serviceprincipalstothekerberosserver" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Add both i5/OS service
principals to the Kerberos server</title>
</head>
<body id="rzamzaddbothos400serviceprincipalstothekerberosserver"><a name="rzamzaddbothos400serviceprincipalstothekerberosserver"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Add both i5/OS service
principals to the Kerberos server</h1>
<div><div class="section"><p>You can use one of two methods to add the necessary <span class="keyword">i5/OS™</span> service
principals to the Kerberos server. You can manually add the service principals
or, as this scenario illustrates, you can use a batch file to add them. You
created this batch file in Step 2. To use this file, you can use File Transfer
Protocol (FTP) to copy the file to the Kerberos server and run it. </p>
<p>Follow
these steps to use the batch file to add principal names to the Kerberos server:</p>
<p><span class="uicontrol">FTP
batch files created by the wizard</span></p>
</div>
<ol><li class="stepexpand"><span>On the <span class="keyword">Windows<sup>®</sup> 2000</span> workstation
that the administrator used to configure network authentication service, open
a command prompt and type <tt>ftp kdc1.myco.com</tt>. This will start an FTP
session on your PC. You will be prompted for the administrator's user name
and password.</span></li>
<li class="stepexpand"><span>At the FTP prompt, type <tt>lcd "C:\Documents and Settings\All
Users\Documents\IBM\Client Access"</tt>. Press Enter. You should receive the
message <tt>Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client
Access</tt>.</span></li>
<li class="stepexpand"><span>At the FTP prompt, type <tt>cd \<em>mydirectory</em></tt>, where <em>mydirectory</em> is
a directory located on kdc1.myco.com.</span></li>
<li class="stepexpand"><span>At the FTP prompt, type <tt>put NASConfigiseriesa.bat</tt>. You
should receive this message: <tt>226 Transfer complete</tt>.</span></li>
<li class="stepexpand"><span>Type <tt>quit</tt> to exit the FTP session.</span> <div class="note"><span class="notetitle">Note:</span> Repeat
these steps to transfer NASConfigiseriesb.bat file to the <span class="keyword">Windows 2000</span> server.</div>
</li>
</ol>
<div class="section"><div class="p"><span class="uicontrol">Run both batch files on kdc1.myco.com</span><ol><li>On your <span class="keyword">Windows 2000</span> server,
open the directory where you transferred the batch files.</li>
<li>Find the <tt>NASConfigiseriesa.bat</tt> file and double click the file
to run it.</li>
<li>Repeat these steps for <tt>NASConfigiseriesb.bat</tt>.</li>
<li>After each file runs, verify that the <span class="keyword">i5/OS</span> principal
has been added to the Kerberos server by completing the following:<ol type="a"><li>On your <span class="keyword">Windows 2000</span> server,
expand <span class="menucascade"><span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active
Directory Users and Computers</span> &gt; <span class="uicontrol">Users</span></span>.</li>
<li>Verify the <span class="keyword">iSeries™</span> has
a user account by selecting the appropriate <span class="keyword">Windows 2000</span> domain. <div class="note"><span class="notetitle">Note:</span> This <span class="keyword">Windows 2000</span> domain should be the same as
the default realm name that you specified in the network authentication service
configuration.</div>
</li>
<li>In the list of users that is displayed, find <strong>iseriesa_1_krbsvr400</strong> and <strong>iseriesb_1_krbsvr400</strong>.
These are the user accounts generated for the <span class="keyword">i5/OS</span> principal
name.</li>
<li>(Optional) Access the properties on your Active Directory users. From
the <strong>Account</strong> tab, select the <strong>Account is trusted for delegation</strong>. <div class="note"><span class="notetitle">Note:</span> This
optional step enables your system to delegate, or forward, a user's credentials
to other systems. As a result, the <span class="keyword">i5/OS</span> service
principal can access services on multiple systems on behalf of the user. This
is useful in a multi-tier network.</div>
</li>
</ol>
</li>
</ol>
</div>
<p>Now that you have added the <span class="keyword">i5/OS</span> service
principals to the Kerberos server, you can create user profiles on the <span class="keyword">iSeries</span> systems.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablessoos400.htm" title="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment.">Scenario: Enable single signon for i5/OS</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice.htm">Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzcreateuserprofilesoniseriesaandiseriesb.htm">Create user profiles on iSeries A and iSeries B</a></div>
</div>
</div>
</body>
</html>