<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="task" /> <meta name="DC.Title" content="Test network authentication service configuration" /> <meta name="abstract" content="Test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS principal." /> <meta name="description" content="Test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS principal." /> <meta name="DC.Relation" scheme="URI" content="rzakhconfig.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhhome.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzakhtestnas" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Test network authentication service configuration</title> </head> <body id="rzakhtestnas"><a name="rzakhtestnas"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Test network authentication service configuration</h1> <div><p>Test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS™ principal.</p> <div class="p"><div class="p">After you have created the home directories for each user that will connect to the i5/OS applications, you can test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS principal. Before requesting a ticket, you should ensure that these common errors are fixed:<ul><li>Do you have all the prerequisites for network authentication service?</li> <li>Does a home directory exist on the iSeries™ for the user issuing the ticket request? See <a href="rzakhhome.htm#rzakhhome">Create a home directory</a> for details.</li> <li>Do you have the correct password for the i5/OS principal? This password was created during network authentication configuration and should be specified in your planning worksheets.</li> <li>Have you added the i5/OS principal to the Kerberos server? See <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a> for details.</li> </ul> </div> </div> <div class="p"><span>To test network authentication service, complete the following steps:</span><ol type="a"><li class="substepexpand"><span>On a command line, enter <tt>QSH</tt> to start the Qshell Interpreter.</span></li> <li class="substepexpand"><span>Enter <tt>keytab list</tt> to display a list of principals registered in the keytab file.</span> The following results should display:<pre class="screen">Principal: krbsvr400/iseriesa.myco.com@MYCO.COM Key version: 2 Key type: 56-bit DES using key derivation Entry timestamp: 200X/05/29-11:02:58 </pre> </li> <li class="substepexpand"><span>Enter <tt>kinit -k krbsvr400/fully qualified host name@REALM NAME</tt> to request a ticket-granting ticket from the Kerberos server.</span> For example, krbsvr400/iseriesa.myco.com@MYCO.COM might be a valid principal name for the iSeries. This command verifies that your iSeries server has been configured properly and the password in the keytab file matches the password stored on the Kerberos server. If this is successful then the QSH command will display without errors.</li> <li class="substepexpand"><span>Enter <tt>klist</tt> to verify that the default principal is krbsvr400/fully qualified host name @REALM NAME. </span> This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the iSeries service principal and placed within the credentials cache on the iSeries system. <pre class="screen"> Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred Default principal: krbsvr400/iseriesa.myco.com@MYCO.COM Server: krbtgt/MYCO.COM@MYCO.COM Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45 $ </pre> </li> </ol> </div> <div class="section"><p><strong>What do I do next:</strong></p> <p><a href="../rzalv/rzalvcnfg.htm">Configure Enterprise Identity Mapping (EIM)</a> This step is optional if you are using network authentication service with your own applications. However, it is recommended for use with IBM<sup>®</sup> supplied applications to create a single signon environment.</p> </div> </div> <div> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconfig.htm" title="Configure network authentication service on your systems.">Configure network authentication service</a></div> <div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhhome.htm" title="Create a home directory for each user that will connect to the i5/OS applications.">Create a home directory</a></div> </div> </div> </body> </html>