Add both i5/OS service principals to the Kerberos server

You can use one of two methods to add the necessary i5/OS™ service principals to the Kerberos server. You can manually add the service principals or, as this scenario illustrates, you can use a batch file to add them. You created this batch file in Step 2. To use this file, you can use File Transfer Protocol (FTP) to copy the file to the Kerberos server and run it.

Follow these steps to use the batch file to add principal names to the Kerberos server:

  1. FTP batch files created by the wizard
    1. On the Windows® 2000 workstation that the administrator used to configure network authentication service, open a command prompt and type ftp kdc1.myco.com. This will start an FTP session on your PC. You will be prompted for the administrator's user name and password.
    2. At the FTP prompt, type lcd "C:\Documents and Settings\All Users\Documents\IBM\Client Access". Press Enter. You should receive the messageLocal directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access .
    3. At the FTP prompt, type cd \mydirectory, where mydirectory is a directory located on kdc1.myco.com.
    4. At the FTP prompt, type put NASConfigiseriesa.bat. You should receive this message: 226 Transfer complete.
    5. Type quit to exit the FTP session.
  2. Run both batch files on kdc1.myco.com
    1. On your Windows 2000 server, open the directory where you transferred the batch files.
    2. Find the NASConfigiseriesa.bat file and double click the file to run it.
    3. Repeat these steps for NASConfigiseriesb.bat.
    4. After each file runs, verify that the i5/OS principal has been added to the Kerberos server by completing the following:
      1. On your Windows 2000 server, expand Administrative Tools > Active Directory Users and Computers > Users.
      2. Verify the iSeries™ has a user account by selecting the appropriate Windows 2000 domain.
        Note: This Windows 2000 domain should be the same as the default realm name that you specified in the network authentication service configuration.
      3. In the list of users that is displayed, find iseriesa_1_krbsvr400 and iseriesb_1_krbsvr400. These are the user accounts generated for the i5/OS principal name.
      4. Access the properties on your Active Directory users. From the Account tab, select Account is trusted for delegation.
        Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the i5/OS service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
Parent topic: Scenario: Enable single signon for i5/OS
Previous topic: Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service
Next topic: Create user profiles on iSeries A and iSeries B