Add the principals for endpoint systems to the Windows 2000 domain

Add the service principals for the endpoint systems by completing these steps
  1. iSeries™ B Steps
    1. On your Windows® 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
    3. In the Name field, enter iseriesb to identify the iSeries server to this Windows domain. This will add a new user account for iSeries B
    4. Access the properties on the Active Directory user iseriesb. From the Account tab, select Account is trusted for delegation. This allows the i5/OS™ service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter

      ktpass -mapuser iseriesb -pass iseriesa123 -princ krbsvr400/iseriesb.myco.com@MYCO.COM -mapop set

  2. iSeries C Steps
    1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
    3. In the Name field, enter iseriesc to identify the iSeries server to this Windows domain. This will add a new user account for iSeries C.
    4. Access the properties on the Active Directory user iseriesc. From the Account tab, select Account is trusted for delegation. This allows the i5/OS service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter:

      ktpass -mapuser iseriesc -pass iseriesa123 -princ krbsvr400/iseriesc.myco.com@MYCO.COM -mapop set

  3. iSeries D Steps
    1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
    3. In the Name field, enter iseriesd to identify the iSeries server to this Windows domain. This will add a new user account for iSeries D.
    4. Access the properties on the Active Directory user iseriesd. From the Account tab, select Account is trusted for delegation. This allows the i5/OS service principal to access other services on behalf of a signed-in user.
    5. On the Windows 2000 server, you need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. At a Windows command prompt, enter:

      ktpass -mapuser iseriesd -pass iseriesd123 -princ krbsvr400/iseriesd.myco.com@MYCO.COM -mapop set

You have completed the propagation of the network authentication service configuration to multiple systems. To configure the Management Central server to take advantage of network authentication service, you need to perform some additional tasks. See Scenario: Use Kerberos authentication between Management Central servers for details.
Parent topic: Scenario: Propagate network authentication service configuration across multiple systems
Previous topic: Configure network authentication service on iSeries D