ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhpropagatescenario_addprincipalswin2000domain.htm

118 lines
8.5 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Add the principals for endpoint systems to the Windows 2000 domain" />
<meta name="DC.Relation" scheme="URI" content="rzakhscenmc.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpropagatescenario_configurenasoniseriesd.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhpropagatescenario_addprincipalswin2000domain" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Add the principals for endpoint systems to the Windows 2000 domain </title>
</head>
<body id="rzakhpropagatescenario_addprincipalswin2000domain"><a name="rzakhpropagatescenario_addprincipalswin2000domain"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Add the principals for endpoint systems to the Windows 2000 domain </h1>
<div><div class="section">Add the service principals for the endpoint systems by completing
these steps</div>
<ol><li><span><strong>iSeries™ B
Steps</strong></span><ol type="a"><li class="substepexpand"><span>On your Windows<sup>®</sup> 2000 server, expand <span class="menucascade"><span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active Directory Users
and Computers</span></span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">MYCO.COM</span> as the domain and expand <span class="menucascade"><span class="uicontrol">Action</span> &gt; <span class="uicontrol">New </span> &gt; <span class="uicontrol">User</span></span>. </span> <div class="note"><span class="notetitle">Note:</span> This Windows domain should be the same as
the default realm name that you specified for the network authentication service
configuration.</div>
</li>
<li class="substepexpand"><span>In the <span class="uicontrol">Name</span> field, enter <tt>iseriesb</tt> to
identify the iSeries server
to this Windows domain. This will add a new user account
for iSeries B</span></li>
<li class="substepexpand"><span>Access the properties on the Active Directory user iseriesb.
From the <span class="uicontrol">Account</span> tab, select <span class="uicontrol">Account is
trusted for delegation</span>. This allows the i5/OS™ service principal to access other
services on behalf of a signed-in user.</span></li>
<li class="substepexpand"><span>On the Windows 2000 server, you need to map
the user account you just created to the i5/OS service principal by using the <span class="uicontrol">ktpass</span> command.
The ktpass tool is provided in the <span class="uicontrol">Service Tools</span> folder
on the Windows 2000 Server installation CD. At a Windows command
prompt, enter</span> <p><kbd class="userinput">ktpass -mapuser iseriesb -pass iseriesa123
-princ krbsvr400/iseriesb.myco.com@MYCO.COM -mapop set</kbd></p>
</li>
</ol>
</li>
<li><span><strong>iSeries C
Steps</strong></span><ol type="a"><li class="substepexpand"><span>On your Windows 2000 server, expand <span class="menucascade"><span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active Directory Users
and Computers</span></span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">MYCO.COM</span> as the domain and expand <span class="menucascade"><span class="uicontrol">Action</span> &gt; <span class="uicontrol">New </span> &gt; <span class="uicontrol">User</span></span>. </span> <div class="note"><span class="notetitle">Note:</span> This Windows domain should be the same as
the default realm name that you specified for the network authentication service
configuration.</div>
</li>
<li class="substepexpand"><span>In the <span class="uicontrol">Name</span> field, enter <tt>iseriesc</tt> to
identify the iSeries server
to this Windows domain. This will add a new user account
for iSeries C.</span></li>
<li class="substepexpand"><span>Access the properties on the Active Directory user iseriesc.
From the <span class="uicontrol">Account</span> tab, select <span class="uicontrol">Account is
trusted for delegation</span>. This allows the i5/OS service principal to access other
services on behalf of a signed-in user.</span></li>
<li class="substepexpand"><span>On the Windows 2000 server, you need to map
the user account you just created to the i5/OS service principal by using the <span class="uicontrol">ktpass</span> command.
The ktpass tool is provided in the <span class="uicontrol">Service Tools</span> folder
on the Windows 2000 Server installation CD. At a Windows command
prompt, enter:</span> <p><kbd class="userinput">ktpass -mapuser iseriesc -pass iseriesa123
-princ krbsvr400/iseriesc.myco.com@MYCO.COM -mapop set</kbd></p>
</li>
</ol>
</li>
<li><span><strong>iSeries D
Steps</strong></span><ol type="a"><li class="substepexpand"><span>On your Windows 2000 server, expand <span class="menucascade"><span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active Directory Users
and Computers</span></span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">MYCO.COM</span> as the domain and expand <span class="menucascade"><span class="uicontrol">Action</span> &gt; <span class="uicontrol">New </span> &gt; <span class="uicontrol">User</span></span>. </span> <div class="note"><span class="notetitle">Note:</span> This Windows domain should be the same as
the default realm name that you specified for the network authentication service
configuration.</div>
</li>
<li class="substepexpand"><span>In the <span class="uicontrol">Name</span> field, enter <tt>iseriesd</tt> to
identify the iSeries server
to this Windows domain. This will add a new user account
for iSeries D. </span></li>
<li class="substepexpand"><span>Access the properties on the Active Directory user iseriesd.
From the <span class="uicontrol">Account</span> tab, select <span class="uicontrol">Account is
trusted for delegation</span>. This allows the i5/OS service principal to access other
services on behalf of a signed-in user.</span></li>
<li class="substepexpand"><span>On the Windows 2000 server, you need to map
the user account you just created to the i5/OS service principal by using the <span class="uicontrol">ktpass</span> command.
The ktpass tool is provided in the <span class="uicontrol">Service Tools</span> folder
on the Windows 2000 Server installation CD. At a Windows command
prompt, enter:</span> <p><kbd class="userinput">ktpass -mapuser iseriesd -pass iseriesd123
-princ krbsvr400/iseriesd.myco.com@MYCO.COM -mapop set</kbd></p>
</li>
</ol>
</li>
</ol>
<div class="section">You have completed the propagation of the network authentication
service configuration to multiple systems. To configure the Management Central
server to take advantage of network authentication service, you need to perform
some additional tasks. See <a href="rzakhscenmc2.htm#rzakhscenmc2">Scenario: Use Kerberos authentication between Management Central servers</a> for
details.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscenmc.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for propagating your network authentication service configuration across multiple systems.">Scenario: Propagate network authentication service configuration across multiple systems</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhpropagatescenario_configurenasoniseriesd.htm">Configure network authentication service on iSeries D</a></div>
</div>
</div>
</body>
</html>