Adding System A principal to the Kerberos server

You can manually add the IBM® i service principal to the Kerberos server. As this scenario illustrates, you can also use the batch file you created in Step 2 to add the principal.

To use the batch file, you can use the IFS download function in IBM Navigator for i to copy it to the Kerberos server and run it. Follow these steps to use the batch file to add the principal to the Kerberos server:
  1. Download the batch file created by the wizard to your Kerberos server.
    1. As the administrator on your Windows server do the following:
      1. In IBM Navigator for i on System A, expand IBM i Management > File Systems > Integrated File System > Root > QIBM > UserData > OS400 > iSeriesNavigator > config
      2. Right-click NASConfig_systema.bat and select Download.
      3. Click the Download button on the Confirm Download page.
      4. Save the file, this will put it in your browser's download location. Refer to your browser's documentation for how to customize the download folder location. Usually this is the Downloads folder.
      Note: It is recommended that you now delete the NASConfig_systema.bat file from System A.
  2. Run batch file on kdc1.myco.com
    1. On your Windows server, open the folder where you downloaded the batch file.
    2. Find the NASConfig_systema.bat file and double-click the file to run it.
    3. After the file runs, verify that the IBM i principal has been added to the Kerberos server by completing the following steps:
      1. On your Windows server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers > Users.
      2. Verify that the system has a user account by selecting the appropriate Windows domain.
        Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
      3. In the list of users that is displayed, find systema_1_krbsvr400. This is the user account generated for the IBM i principal name.
      4. Optional: Access the properties on your Active Directory user. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
        Note: This optional step enables your system to delegate or forward a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
      Note: It is recommended that you now delete the NASConfig_systema.bat file from your Windows server.