Test network authentication service configuration

Test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS™ principal.

After you have created the home directories for each user that will connect to the i5/OS applications, you can test the network authentication service configuration by requesting a ticket granting ticket for your i5/OS principal. Before requesting a ticket, you should ensure that these common errors are fixed:

Do you have all the prerequisites for network authentication service?
Does a home directory exist on the iSeries™ for the user issuing the ticket request? See Create a home directory for details.
Do you have the correct password for the i5/OS principal? This password was created during network authentication configuration and should be specified in your planning worksheets.
Have you added the i5/OS principal to the Kerberos server? See Add i5/OS principals to the Kerberos server for details.

To test network authentication service, complete the following steps:

On a command line, enter QSH to start the Qshell Interpreter.

Enter keytab list to display a list of principals registered in the keytab file. The following results should display:

Principal: krbsvr400/iseriesa.myco.com@MYCO.COM      
  Key version: 2                                                       
  Key type: 56-bit DES using key derivation                            
  Entry timestamp: 200X/05/29-11:02:58

Enter kinit -k krbsvr400/fully qualified host name@REALM NAME to request a ticket-granting ticket from the Kerberos server. For example, krbsvr400/iseriesa.myco.com@MYCO.COM might be a valid principal name for the iSeries. This command verifies that your iSeries server has been configured properly and the password in the keytab file matches the password stored on the Kerberos server. If this is successful then the QSH command will display without errors.

Enter klist to verify that the default principal is krbsvr400/fully qualified host name @REALM NAME. This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the iSeries service principal and placed within the credentials cache on the iSeries system.

 Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
                                                                    
 Default principal: krbsvr400/iseriesa.myco.com@MYCO.COM  
                                                                            
Server: krbtgt/MYCO.COM@MYCO.COM              
  Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45                          
$

What do I do next:

Configure Enterprise Identity Mapping (EIM) This step is optional if you are using network authentication service with your own applications. However, it is recommended for use with IBM^® supplied applications to create a single signon environment.