Network authentication service

Network authentication service allows the IBM i product and several IBM i services, such as the IBM i Access Client Solutions, to use a Kerberos ticket as an optional replacement for a user name and password for authentication.

The Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an unsecure network. Authentication of principals is completed through a centralized server called a Kerberos server or key distribution center (KDC).
Note: Throughout this documentation, the generic term Kerberos server is used.

A user is authenticated with a principal and a password that is stored in the Kerberos server. After a principal is authenticated, the Kerberos server issues a ticket-granting ticket (TGT) to the user. When a user needs access to an application or a service on the network, the Kerberos client application on the user's PC sends the TGT back to the Kerberos server to obtain a service ticket for the target service or application. The Kerberos client application then sends the service ticket to the service or application for authentication. When the service or application accepts the ticket, a security context is established and the user's application can then exchange data with a target service. Applications can authenticate a user and securely forward his or her identity to other services on the network. When a user is known, separate functions are needed to verify the user's authorization to use the network resources.

Network authentication service implements the following specifications:

  • Kerberos Version 5 protocol Request for Comment (RFC) 1510 and RFC 4120
  • Many of the de facto standard Kerberos protocol application programming interfaces (APIs) prevalent in the industry today
  • Generic Security Service (GSS) APIs as defined by RFCs 1509, 1964, 2743, and 4121

The IBM i implementation of network authentication service operates with authentication, delegation, and data confidentiality services compliant with these RFCs and Microsoft's Windows Security Service Provider Interface (SSPI) APIs. Microsoft Active Directory uses Kerberos as its default security mechanism. When users are added to Microsoft Active Directory, their Windows identification is equivalent to a Kerberos principal. Network authentication service provides for interoperability with Microsoft Active Directory and its implementation of the Kerberos protocol.