Host name resolution considerations

Ensure that Kerberos authentication and host name resolution work properly with your Kerberos enabled applications by verifying that your PCs and your iSeries™ servers resolve the same host name for the system on which the service application resides.

In a Kerberos environment, both the client and the server use some method of host name resolution to determine the host name for the system on which a particular application or service resides. If the iSeries servers and the PCs use a Domain Name System (DNS) server, it is important that they use the same DNS server to perform host name resolution or, if they use more than one DNS server, that the host names are the same on both DNS servers. If your iSeries system or PC resolve host names locally (from a local host table or file) they might resolve a host name that is different than the corresponding host name recorded on the DNS server. This might cause network authentication service to fail.

To ensure that Kerberos authentication and host name resolution work properly with your Kerberos enabled applications, you must verify that your PCs and your iSeries servers resolve the same host name for the system on which the service application resides. In the following example, this system is called iSeries A.

The following instructions demonstrate how to determine whether the PCs and iSeries systems resolve the same name for iSeries A. Refer to the example work sheets as you follow the instructions.

You can enter your own information in the blank work sheets when you perform these steps for your Kerberos realm.

This graphic illustrates the system files and records that contain host name information in the following example.

Note: The IP address 10.1.1.1 represents a public IP address. This address is for example purposes only.

Details

DNS server

Contains data resource records that indicate that IP address 10.1.1.1 correlates to host name iseriesa.myco.com, the IP address and host name for iSeries A.
May be used by the PC, iSeries A, or both for host resolution.
Note: This example demonstrates one DNS server. However, your network may use more than one DNS server. For example, your PC may use one DNS server to resolve host names and your iSeries server may use a different DNS server. You need to determine how many DNS servers your realm is using for host resolution and adapt this information to your situation.

Runs Windows^® 2000 operating system.
Represents both the PC used to administer network authentication service and the PC used by a user with no special authorities for his routine tasks.
Contains the hosts file which indicates that IP address 10.1.1.1 correlates to host name iseriesa.myco.com.
Note: You can find the hosts file in these folders:
- Windows 2000 operating system: C:\WINNT\system32\drivers\etc\hosts
- Windows XP operating system: C:\WINDOWS\system32\drivers\etc\hosts

iSeries A

Runs i5/OS™ Version 5 Release 3 (V5R3).
Contains a service application that you need to access using network authentication service (Kerberos authentication).
Within the CFGTCP (Configure TCP) menu, options 10 and 12 indicate the following information for iSeries A:
- Option 10 (Work with TCP/IP host table entries):
  - Internet Address: 10.1.1.1
  - Host Name: iseriesa.myco.com
- Option 12 (Change TCP/IP domain information):
  - Host name: iseriesa
  - Domain name: myco.com
  - Host name search priority: *LOCAL or *REMOTE
    Note: The Host name search priority parameter indicates either *LOCAL or *REMOTE depending on how your network administrator configured TCP/IP to perform host resolution on the server.

Table 1. Example: PC host name resolution work sheet
On the PC, determine the host name for iSeries A
Step	Source	Host name
1.a.1	PC hosts file	iseriesa.myco.com
1.b.1	DNS server	iseriesa.myco.com

Table 2. Example: iSeries host name resolution work sheet
On iSeries A, determine the host name for iSeries A
Step	Source	Host name
2.a.2	iSeries A CFGTCP option 12	Host name: `iseriesa` Domain name: `myco.com`
Note: Host name search priority value: `LOCAL` or `REMOTE`
2.b.2	iSeries A CFGTCP option 10	iseriesa.myco.com
2.c.1	DNS server	iseriesa.myco.com

Table 3. Example: Matching host names work sheet
These three host names must match exactly
Step	Host name
Step 1	iseriesa.myco.com
Step 2.a.2	iseriesa myco.com
2d	iserisa.myco.com

Table 4. PC host name resolution work sheet
On the PC, determine the host name for the iSeries server
Step	Source	Host name
1.a.1	PC hosts file
1.b.1	DNS server

Table 5. iSeries host name resolution work sheet
On your iSeries server, determine the host name for the iSeries
Step	Source	Host name
2.a.2	iSeries CFGTCP option 12	Host name: Domain name:
Note Host name search priority value: `LOCAL` or `REMOTE`
2.b.2	iSeries CFGTCP option 10
2.c.1	DNS server

Table 6. Matching host names work sheet
These three host names must match exactly
Step	Host name
Step 1
Step 2.a.2
2d

Parent topic: Plan network authentication service

Resolve your host names

Verify that your PCs and your iSeries servers resolve the same host name.

Use the previous example work sheets as reference for resolving host names. To verify that the PCs and iSeries systems are resolving the same host name for iSeries A, follow these steps:

From the PC, determine the fully qualified TCP/IP host name for iSeries A.
Note: Depending on how you manage your network, you may want to do this on other PCs that are joining the single signon environment.
1. In Windows Explorer on the PC, open the hosts file from one of these locations:
  - Windows 2000 operating system: C:\WINNT\system32\drivers\etc\hosts
  - Windows XP operating system: C:\WINDOWS\system32\drivers\etc\hosts
  Note: If the hosts file does not exist on the PC, then your PC may be using a DNS server to resolve host names. In that case, skip to Step 1b.
  1. On the work sheet, write down the first host name entry for iSeries A, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
    Note: If the hosts file does not contain an entry for iSeries A, then your PC may be using a DNS server to resolve host names. In that case, see Step 1b.
2. Use NSLOOKUP to query the DNS server.
  Note: Skip this step if you found a host name entry in the PC's hosts file, and proceed to Step 2. (The hosts file takes precedence over DNS servers when the operating system resolves host names for the PC.)
  1. At a command prompt, type NSLOOKUP and press Enter. At the NSLOOKUP prompt, type 10.1.1.1 to query the DNS server for iSeries A. Write down the host name returned by the DNS server, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
  2. At the NSLOOKUP prompt, type iseriesa.myco.com. This must be the host name returned by the DNS server in the previous step. Verify that the DNS server returns the IP address that you expect. For example, 10.1.1.1.
    Note: If NSLOOKUP does not return the expected results, your DNS configuration is incomplete. For example, if NSLOOKUP returns an IP address that is different than the address you entered in Step 1.b.1, you need to contact the DNS administrator to resolve this problem before you can continue with the next steps.
From iSeries A, determine its fully qualified TCP/IP host name.
1. TCP/IP domain information
  1. At the command prompt, type CFGTCP and select Option 12 (Change TCP/IP domain).
  2. Write down the values for the Host name parameter and the Domain name parameter, noting the uppercase or lowercase characters. For example:
    - Host name: iseriesa
    - Domain name: myco.com
  3. Write down the value for the Host name search priority parameter.
    - *LOCAL - The operating system searches the local host table (equivalent of hosts file on the PC) first. If there is not a matching entry in the host table and you have configured a DNS server, the operating system then searches your DNS server.
    - *REMOTE - The operating system searches the DNS server first. If there is not a matching entry in the DNS server, the operating system then searches the local host table.
2. TCP/IP host table
  1. At the command prompt, type CFGTCP and select Option 10 (Work with TCP/IP Host Table Entries).
  2. Write down the value in the Host Name column that corresponds to iSeries A (IP address 10.1.1.1), noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
    Note: If you do not find an entry for iSeries A in the host table, proceed to the next step.
3. DNS server
  1. At a command prompt, type NSLOOKUP and press Enter. At the NSLOOKUP prompt, type 10.1.1.1 to query the DNS server for iSeries A. Write down the host name returned by the DNS server, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
  2. At the NSLOOKUP prompt, type iseriesa.myco.com. This must be the host name returned by the DNS server in the previous step. Verify that the DNS server returns the IP address that you expect. For example, 10.1.1.1.
    Note: If NSLOOKUP does not return the expected results, your DNS configuration is incomplete. For example, if NSLOOKUP returns an IP address that is different than the address you entered in Step 2.c.1, you need to contact the DNS administrator to resolve this problem before you can continue with the next steps.
4. Determine which host name value for iSeries A to keep, based on its TCP/IP configuration.
  - If the value for the Host name search priority parameter is *LOCAL, keep the entry noted from the local host table (Step 2.b.2).
  - If the value for the Host name search priority parameter is *REMOTE, keep the entry noted from the DNS server (Step 2.c.1).
  - If only one of these sources contains an entry for iSeries A, keep that entry.
Compare the results from these steps:
1. Step 1 - Name that the PC uses for iSeries A.
  Note: If you found an entry for iSeries A in the PC's hosts file, use that entry. Otherwise, use the entry from the DNS server.
2. Step 2.a.2 - Name that iSeries A calls itself within its TCP/IP configuration.
3. Step 2d - Name that iSeries A calls itself based on host name resolution.
All three of these entries must match exactly, including uppercase and lowercase characters. If the results do not exactly match, you will receive an error message indicating that a keytab entry cannot be found.