SBMNWSCMD and file level backup support for Kerberos v5 and EIM

File level backup operations to an integrated Windows server utilize the iSeries™ NetClient and Submit Network Server Command (SBMNWSCMD) functions. In i5/OS™ V5R3 or later, these functions provide limited Kerberos v5 support (also known as iSeries Network Authentication). Thus, there are some considerations to keep in mind if you want to use network authentication with these functions.

1. In order to enable iSeries to use Kerberos authentication, you must configure these things on the iSeries server:
   • iSeries Navigator Security option
   • Network authentication service
   • Enterprise Identity Mapping (EIM)
   • Cryptographic Access Provider (5722-AC2 or AC3)
2. The iSeries NetServer™ should be configured to use Password/Kerberos v5 authentication and NetServer must be active.
3. The Kerberos KDC must be a Windows Active Directory domain controller (Windows 2000 Server or Windows Server 2003). For more information, see Enabling Kerberos with a Windows Server 2003 Active Directory Server.
4. Kerberos authentication will only be used when the i5/OS job's user profile has the LCLPWDMGT attribute set to *NO. When LCLPWDMGT is set to *YES, then password authentication will always be used.
5. User Enrollment supports using EIM to map a Windows user name to a different i5/OS profile name. Thus, user enrollment can look for an EIM registry which is named for the Windows Active Directory domain name, or for a EIM registry which is named for the integrated server name as appropriate. User enrollment will use the EIM mapping regardless of whether Kerberos authentication can be used. However, SBMNWSCMD and NetClient will only use an EIM mapped name when Kerberos authentication is used. So, user enrollment may create a local windows user with a different name than the i5/OS profile as specified by the EIM mapping. But, SBMNWSCMD and NetClient will only use the different windows name when Kerberos authentication is performed (When LCLPWDMGT = *NO). Otherwise, they attempt to authenticate with a Windows name equal to the i5/OS profile name.
6. For SBMNWSCMD submitted windows commands to be able to connect to other network servers when Kerberos authentication is used, the target windows server must be trusted for delegation. In Windows 2000, this is enabled by default for domain controllers. However, it is disabled by default for domain member servers. It may be enabled via the Administration Tool: Active Directory User and Computers on a domain controller. Within this tool, click Computers and select the correct computer. Then click Computer properties –> General. Then check Trust computer for delegation.