Additional configuration requirements for Kerberos v5 authentication enablement

You must complete all of the following steps prior to restarting the iSeries server.

  1. The Enterprise Identity Mapping (EIM) and Network authentication service must be configured on the server in order to use Kerberos v5 authentication. If you currently have EIM and Network authentication services configured, skip this step and proceed to 2.
    Note:
    The EIM configuration wizard gives you the option to configure Network authentication service, if it is not currently configured on your server. In this event, you must select to configure the Network authentication service, as it is a required service in order to use Kerberos v5 authentication with iSeries NetServer™.

    To configure EIM and Network authentication services complete the following steps:

    1. Open iSeries Navigator and connect to the system you want to work with.
    2. Expand Network.
    3. Right-click Enterprise Identity Mapping and select Configure.
    4. Follow the instructions in the EIM configuration wizard.
    Note:
    If Network authentication services is not currently configured on the iSeries server, you will be prompted to configure this service during the EIM configuration wizard. You must ensure that you select to add the iSeries NetServer service principals when configuring Network authentication services.
  2. With Network authentication service currently configured on your server, you must manually add the service principal names to the keytab.
    1. For Windows 2000 clients:
      HOST/<fully qualified name>@<REALM>
      HOST/<qname>@<REALM>
      HOST/<IP Address>@<REALM>
    2. For Windows XP and Windows Server 2003 clients:
      cifs/<fully qualified name>@<REALM>
      cifs/<qname>@<REALM>
      cifs/<IP Address>@<REALM>
    Keytab entries may be added using the Kerberos Key Tab (QKRBKEYTAB) API. On a command line, use the following command string: CALL PGM(QKRBKEYTAB) PARM('add' 'HOST/qname where qname is the fully qualified name or the IP address.
  3. Additional setup is also required on the Windows 2000 or Windows Server 2003 domain controller that the iSeries NetServer clients use as the Key Distribution Center (KDC).

    Complete the following steps to configure an iSeries NetServer service principal on the Windows KDC:

    1. Install the Support Tools from your Windows server CD.
      Note:
      Instructions for installing the Support Tools can be found in the Microsoft KB article Q301423 (support.microsoft.com/support/kb/articles/Q301/4/23.ASP) Link outside Information Center.
    2. Create a new user in the Active Directory.
    3. From a command prompt, use the ktpass.exe support tool to map a service principal to the newly created user. The password used for ktpass should match the password used to create the service principal on the iSeries system. Substituting your own parameters for the items in < >, use the appropriate command call as follows.

      For Windows 2000 clients:
      ktpass -princ HOST/<iSeriesNetServerName@REALM> -mapuser <new user> -pass <password>

      For Windows XP or Windows Server 2003 clients:
      ktpass -princ cifs/<iSeriesNetServerName>@REALM> -mapuser <new user> -pass <password>

      Note:
      Only one principal can be mapped to a user. If both HOST/* and cifs/* principals are needed, each must be mapped to a separate Active Directory user.
    4. Repeat steps 3b and 3c if you want to access iSeries NetServer using additional principal names.