90 lines
6.0 KiB
HTML
90 lines
6.0 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Add both i5/OS service principals to the Kerberos server" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhscen2.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_configureiseriesbeim.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createuserprofilesseries.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhssoscenario_addi5principals" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Add both i5/OS service principals to the Kerberos server</title>
|
|
</head>
|
|
<body id="rzakhssoscenario_addi5principals"><a name="rzakhssoscenario_addi5principals"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Add both i5/OS service principals to the Kerberos server</h1>
|
|
<div><div class="section">You can use one of two methods to add the necessary i5/OS™ service
|
|
principals to the Kerberos server. You can manually add the service principals
|
|
or, as this scenario illustrates, you can use a batch file to add them. You
|
|
created this batch file in Step 2. To use this file, you can use File Transfer
|
|
Protocol (FTP) to copy the file to the Kerberos server and run it.<p>Follow
|
|
these steps to use the batch file to add principal names to the Kerberos server:</p>
|
|
</div>
|
|
<ol><li><span>FTP batch files created by the wizard</span><ol type="a"><li><span>On the Windows<sup>®</sup> 2000 workstation that the administrator
|
|
used to configure network authentication service, open a command prompt and
|
|
type <tt>ftp kdc1.myco.com</tt>. This will start an FTP session on your PC.
|
|
You will be prompted for the administrator's user name and password.</span></li>
|
|
<li><span>At the FTP prompt, type <tt>lcd "C:\Documents and Settings\All
|
|
Users\Documents\IBM\Client Access"</tt>. Press Enter. You should receive the
|
|
message<tt class="msgph">Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client
|
|
Access</tt> .</span></li>
|
|
<li><span>At the FTP prompt, type <tt>cd \<em>mydirectory</em></tt>, where <em>mydirectory</em> is
|
|
a directory located on kdc1.myco.com.</span></li>
|
|
<li><span>At the FTP prompt, type <tt>put NASConfigiseriesa.bat</tt>.
|
|
You should receive this message: <tt class="msgph">226 Transfer complete</tt>.</span></li>
|
|
<li><span>Type <tt>quit</tt> to exit the FTP session.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li><span>Run both batch files on kdc1.myco.com</span><ol type="a"><li class="substepexpand"><span>On your Windows 2000 server, open the directory
|
|
where you transferred the batch files.</span></li>
|
|
<li class="substepexpand"><span>Find the <tt>NASConfigiseriesa.bat</tt> file and double click
|
|
the file to run it.</span></li>
|
|
<li class="substepexpand"><span>Repeat these steps for <tt>NASConfigiseriesb.bat</tt>.</span></li>
|
|
<li class="substepexpand"><span>After each file runs, verify that the i5/OS principal has been added to the Kerberos
|
|
server by completing the following:</span> <ol type="i"><li>On your Windows 2000 server, expand <span class="menucascade"><span class="uicontrol">Administrative
|
|
Tools</span> > <span class="uicontrol">Active Directory Users and Computers</span> > <span class="uicontrol">Users</span></span>.</li>
|
|
<li>Verify the iSeries™ has
|
|
a user account by selecting the appropriate Windows 2000 domain. <div class="note"><span class="notetitle">Note:</span> This Windows 2000
|
|
domain should be the same as the default realm name that you specified in
|
|
the network authentication service configuration.</div>
|
|
</li>
|
|
<li>In the list of users that is displayed, find <strong>iseriesa_1_krbsvr400</strong> and <strong>iseriesb_1_krbsvr400</strong>.
|
|
These are the user accounts generated for the i5/OS principal name.</li>
|
|
<li>Access the properties on your Active Directory users.
|
|
From the <span class="uicontrol">Account</span> tab, select <span class="uicontrol">Account is
|
|
trusted for delegation</span>. <div class="note"><span class="notetitle">Note:</span> This optional step enables your
|
|
system to delegate, or forward, a user's credentials to other systems. As
|
|
a result, the i5/OS service
|
|
principal can access services on multiple systems on behalf of the user. This
|
|
is useful in a multi-tier network.</div>
|
|
</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen2.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for enabling single signon for i5/OS.">Scenario: Enable single signon for i5/OS</a></div>
|
|
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhssoscenario_configureiseriesbeim.htm">Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhssoscenario_createuserprofilesseries.htm">Create user profiles on iSeries A and iSeries B</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |