Add iSeries A principal to the Kerberos server

You can use one of two methods to add the necessary i5/OS™ service principal to the Kerberos server. You can manually add it or, as this scenario illustrates, you can use a batch file to add it. You created this batch file in Step 2. To use this file, you must use File Transfer Protocol (FTP) to copy the file to the Kerberos server and run it. Follow these steps to use the batch file to add the principal to the Kerberos server:
  1. FTP batch file created by the wizard
    1. On the Windows® 2000 workstation that the administrator used to configure network authentication service, open a command prompt and type ftp kdc1.myco.com. This will start an FTP session on your PC. You will be prompted for the administrator's user name and password.
    2. At the FTP prompt, type lcd "C:\Documents and Settings\All Users\Documents\IBM\Client Access". Press Enter. You should receive the message Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access.
    3. At the FTP prompt, type binary. This indicates that the file to be transferred is binary.
    4. At the FTP prompt, type cd \mydirectory, where mydirectory is a directory located on kdc1.myco.com.
    5. At the FTP prompt, type put NASConfigiseriesa.bat. You should receive this message: 226 Transfer complete.
  2. Run batch file on kdc1.myco.com
    1. On your Windows 2000 server, open the folder where you transferred the batch files.
    2. Find the NASConfigiseriesa.bat file and double click the file to run it.
    3. After the file runs, verify that the i5/OS principal has been added to the Kerberos server by completing the following:
      1. On your Windows 2000 server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers > Users.
      2. Verify the iSeries™ has a user account by selecting the appropriate Windows domain.
        Note: This Windows domain should be the same as the default realm name that you specified network authentication service configuration.
      3. In the list of users that displays, find iseriesa_1_krbsvr400. This is the user account generated for the i5/OS principal name.
      4. Access the properties on your Active Directory users. From the Account tab, select the Account is trusted for delegation.
        Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the i5/OS service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
Parent topic: Scenario: Configure network authentication service
Previous topic: Configure network authentication service on iSeries A
Next topic: Create a home directory for users on iSeries A