Configure network authentication service

Configure network authentication service on your systems.

Before you configure network authentication service, you should perform the following tasks:

Complete all the necessary planning work sheets.
Verify that when your PCs and iSeries™ systems perform host name resolution, they resolve the same host names for your iSeries systems. Refer to Host name resolution considerations for this task.
Configure a Kerberos server on a secure system in your network. If you have configured a Kerberos server in i5/OS™ PASE, ensure that you have completed all the necessary configuration of the server and client workstations before configuring network authentication on the iSeries server. See Configure a Kerberos server in i5/OS PASE for details on configuring a Kerberos server in i5/OS PASE.
You can also have a Kerberos server configured on Microsoft^® Windows^® 2000 and Windows Server 2003 and z/OS^®. See the appropriate documentation that corresponds with the Kerberos configuration for the system that will be used as a Kerberos server.

It is recommended that you configure the Kerberos server before configuring network authentication service on the iSeries.

To configure network authentication service, complete the following steps:

In iSeries Navigator, expand your iSeries server > Security.
Right-click Network Authentication Service and select Configure to start the configuration wizard.
Note: After you have configured network authentication service, this option will be Reconfigure.
Review the Welcome page for information about what objects the wizard creates. Click Next.
On the Specify realm information page, enter the name of the default realm in the Default realm field. If you are using Microsoft Active Directory for Kerberos authentication, select Microsoft Active Directory is used for Kerberos authentication. Click Next.
On the Specify KDC information page, enter the name of the Kerberos server for this realm in the KDC field and enter 88 in the Port field. Click Next.
On the Specify password information page, select either Yes or No for setting up a password server. The password server allows principals to change passwords on the Kerberos server. If you select Yes, enter the password server name in the Password server field. The password server has the default port of 464. Click Next.
On the Select keytab entries page, select the i5/OS Kerberos Authentication. In addition you can also create keytab entries for the Directory services (LDAP), iSeries NetServer™, and iSeries HTTP server if you want these services to use Kerberos authentication.
Note: Some of these services require additional configuration to use Kerberos authentication.
Click Next.
On the Create i5/OS keytab entry page, enter and confirm a password. Click Next.
Note: This is the same password you will use when you add the i5/OS principals to the Kerberos server.
On the Create batch file page, select Yes to create this file.
Note: This page only appears if you selected Microsoft Active Directory is used for Kerberos authentication in Step 4 (above).
In the Batch file field, update the directory path. You can click Browse to locate the appropriate directory path and you can edit the path in the field.
In the Include password field, select Yes. This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file.
Note: You can also manually add the service principals that are generated by the wizard to Microsoft Active Directory. If you want to know how to manually add the i5/OS service principals to Microsoft Active Directory, see Add i5/OS principals to the Kerberos server
On the Summary page, review the network authentication service configuration details. Click Finish.

Network authentication service is now configured.