Host name resolution considerations

Ensure that Kerberos authentication and host name resolution work properly with your Kerberos enabled applications by verifying that your PCs and your iSeries™ servers resolve the same host name for the system on which the service application resides.

In a Kerberos environment, both the client and the server use some method of host name resolution to determine the host name for the system on which a particular application or service resides. If the iSeries servers and the PCs use a Domain Name System (DNS) server, it is important that they use the same DNS server to perform host name resolution or, if they use more than one DNS server, that the host names are the same on both DNS servers. If your iSeries system or PC resolve host names locally (from a local host table or file) they might resolve a host name that is different than the corresponding host name recorded on the DNS server. This might cause network authentication service to fail.

To ensure that Kerberos authentication and host name resolution work properly with your Kerberos enabled applications, you must verify that your PCs and your iSeries servers resolve the same host name for the system on which the service application resides. In the following example, this system is called iSeries A.

The following instructions demonstrate how to determine whether the PCs and iSeries systems resolve the same name for iSeries A. Refer to the example work sheets as you follow the instructions.

You can enter your own information in the blank work sheets when you perform these steps for your Kerberos realm.

This graphic illustrates the system files and records that contain host name information in the following example.
Note: The IP address 10.1.1.1 represents a public IP address. This address is for example purposes only.

Host resolution considerations

Details

DNS server

PC

iSeries A

Table 1. Example: PC host name resolution work sheet
On the PC, determine the host name for iSeries A
Step Source Host name
1.a.1 PC hosts file iseriesa.myco.com
1.b.1 DNS server iseriesa.myco.com

 

Table 2. Example: iSeries host name resolution work sheet
On iSeries A, determine the host name for iSeries A
Step Source Host name
2.a.2

iSeries A
CFGTCP option 12

Host name: iseriesa
Domain name: myco.com

Note: Host name search priority value: *LOCAL or *REMOTE
2.b.2

iSeries A
CFGTCP option 10

iseriesa.myco.com
2.c.1 DNS server iseriesa.myco.com

 

Table 3. Example: Matching host names work sheet
These three host names must match exactly
Step Host name
Step 1 iseriesa.myco.com
Step 2.a.2

iseriesa
myco.com

2d iserisa.myco.com

 

Table 4. PC host name resolution work sheet
On the PC, determine the host name for the iSeries server
Step Source Host name
1.a.1 PC hosts file  
1.b.1 DNS server  

 

Table 5. iSeries host name resolution work sheet
On your iSeries server, determine the host name for the iSeries
Step Source Host name
2.a.2

iSeries
CFGTCP option 12

Host name:
Domain name:

Note Host name search priority value: *LOCAL or *REMOTE
2.b.2

iSeries
CFGTCP option 10

 
2.c.1 DNS server  

 

Table 6. Matching host names work sheet
These three host names must match exactly
Step Host name
Step 1  
Step 2.a.2  
2d  

Resolve your host names

Verify that your PCs and your iSeries servers resolve the same host name.

Use the previous example work sheets as reference for resolving host names. To verify that the PCs and iSeries systems are resolving the same host name for iSeries A, follow these steps:
  1. From the PC, determine the fully qualified TCP/IP host name for iSeries A.
    Note: Depending on how you manage your network, you may want to do this on other PCs that are joining the single signon environment.
    1. In Windows Explorer on the PC, open the hosts file from one of these locations:
      • Windows 2000 operating system: C:\WINNT\system32\drivers\etc\hosts
      • Windows XP operating system: C:\WINDOWS\system32\drivers\etc\hosts
      Note: If the hosts file does not exist on the PC, then your PC may be using a DNS server to resolve host names. In that case, skip to Step 1b.
      1. On the work sheet, write down the first host name entry for iSeries A, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
        Note: If the hosts file does not contain an entry for iSeries A, then your PC may be using a DNS server to resolve host names. In that case, see Step 1b.
    2. Use NSLOOKUP to query the DNS server.
      Note: Skip this step if you found a host name entry in the PC's hosts file, and proceed to Step 2. (The hosts file takes precedence over DNS servers when the operating system resolves host names for the PC.)
      1. At a command prompt, type NSLOOKUP and press Enter. At the NSLOOKUP prompt, type 10.1.1.1 to query the DNS server for iSeries A. Write down the host name returned by the DNS server, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
      2. At the NSLOOKUP prompt, type iseriesa.myco.com. This must be the host name returned by the DNS server in the previous step. Verify that the DNS server returns the IP address that you expect. For example, 10.1.1.1.
        Note: If NSLOOKUP does not return the expected results, your DNS configuration is incomplete. For example, if NSLOOKUP returns an IP address that is different than the address you entered in Step 1.b.1, you need to contact the DNS administrator to resolve this problem before you can continue with the next steps.
  2. From iSeries A, determine its fully qualified TCP/IP host name.
    1. TCP/IP domain information
      1. At the command prompt, type CFGTCP and select Option 12 (Change TCP/IP domain).
      2. Write down the values for the Host name parameter and the Domain name parameter, noting the uppercase or lowercase characters. For example:
        • Host name: iseriesa
        • Domain name: myco.com
      3. Write down the value for the Host name search priority parameter.
        • *LOCAL - The operating system searches the local host table (equivalent of hosts file on the PC) first. If there is not a matching entry in the host table and you have configured a DNS server, the operating system then searches your DNS server.
        • *REMOTE - The operating system searches the DNS server first. If there is not a matching entry in the DNS server, the operating system then searches the local host table.
    2. TCP/IP host table
      1. At the command prompt, type CFGTCP and select Option 10 (Work with TCP/IP Host Table Entries).
      2. Write down the value in the Host Name column that corresponds to iSeries A (IP address 10.1.1.1), noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
        Note: If you do not find an entry for iSeries A in the host table, proceed to the next step.
    3. DNS server
      1. At a command prompt, type NSLOOKUP and press Enter. At the NSLOOKUP prompt, type 10.1.1.1 to query the DNS server for iSeries A. Write down the host name returned by the DNS server, noting the uppercase or lowercase characters. For example, iseriesa.myco.com.
      2. At the NSLOOKUP prompt, type iseriesa.myco.com. This must be the host name returned by the DNS server in the previous step. Verify that the DNS server returns the IP address that you expect. For example, 10.1.1.1.
        Note: If NSLOOKUP does not return the expected results, your DNS configuration is incomplete. For example, if NSLOOKUP returns an IP address that is different than the address you entered in Step 2.c.1, you need to contact the DNS administrator to resolve this problem before you can continue with the next steps.
    4. Determine which host name value for iSeries A to keep, based on its TCP/IP configuration.
      • If the value for the Host name search priority parameter is *LOCAL, keep the entry noted from the local host table (Step 2.b.2).
      • If the value for the Host name search priority parameter is *REMOTE, keep the entry noted from the DNS server (Step 2.c.1).
      • If only one of these sources contains an entry for iSeries A, keep that entry.
  3. Compare the results from these steps:
    1. Step 1 - Name that the PC uses for iSeries A.
      Note: If you found an entry for iSeries A in the PC's hosts file, use that entry. Otherwise, use the entry from the DNS server.
    2. Step 2.a.2 - Name that iSeries A calls itself within its TCP/IP configuration.
    3. Step 2d - Name that iSeries A calls itself based on host name resolution.
    All three of these entries must match exactly, including uppercase and lowercase characters. If the results do not exactly match, you will receive an error message indicating that a keytab entry cannot be found.