Domains

Use this information to learn about the differences between EIM domains and Windows® domains, both of which are part of a single signon environment.

Two types of domains play key roles in the single signon environment: EIM domain and Windows 2000 domain. Although both of these terms contain the word domain, these entities have very different definitions. Use the following descriptions to understand the differences between these two types of domains.

EIM domain
An EIM domain is a collection of data, which includes the EIM identifiers, EIM associations, and EIM user registry definitions that are defined in that domain. This data is stored in a Lightweight Directory Access Protocol (LDAP) server, such as the IBM® Directory Server for iSeries™, which can run on any system in the network, defined in that domain. Administrators can configure systems (EIM clients), such as i5/OS™, to participate in the domain so that systems and applications can use domain data for EIM lookup operations and identity mapping.
Windows 2000 domain
In the context of single signon, a Windows 2000 domain is a Windows network that contains several systems operating as clients and servers and a variety of services and applications used by the systems. The following are some of the components pertinent to single signon that you may find within a Windows 2000 domain:

Realm
A realm is a collection of machines and services. The main purpose of a realm is to authenticate clients and services. Each realm uses a single Kerberos server to manage the principals for that particular realm.
Kerberos server
A Kerberos server, also known as a key distribution center (KDC), is a network service that resides on the Windows 2000 server and provides tickets and temporary session keys for network authentication service. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting server. A Kerberos server uses Microsoft® Windows Active Directory to store and manage the information in a Kerberos user registry.
Microsoft Windows Active Directory
Microsoft Windows Active Directory is an LDAP server that resides on the Windows 2000 server along with the Kerberos server. The Active Directory is used to store and manage the information in a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. Therefore, if you are using Microsoft Active Directory to manage your users, you are already using Kerberos technology.
Related information
Enterprise Identity Mapping (EIM) Overview
Enterprise Identity Mapping Concepts
Network authentication service