You can manually add the IBM® i service principal
to the Kerberos server. As this scenario illustrates, you can also
use the batch file you created in Step 2 to add the principal.
To use the batch file, you can use the IFS
download function in IBM Navigator
for i to
copy it to the Kerberos server and run it. Follow these steps to use
the batch file to add the principal to the Kerberos server:
- Download the batch file created by the wizard to your Kerberos
server.
- As the administrator on your Windows server do the following:
- In IBM Navigator
for i on
System A, expand
- Right-click NASConfig_systema.bat and select Download.
- Click the Download button on the Confirm
Download page.
- Save the file, this will put it in your browser's download location.
Refer to your browser's documentation for how to customize the download
folder location. Usually this is the Downloads folder.
Note: It is recommended that you now delete the NASConfig_systema.bat file
from System A.
- Run batch file on kdc1.myco.com
- On your Windows server,
open the folder where you downloaded the batch file.
- Find the NASConfig_systema.bat file
and double-click the file to run it.
- After the file runs, verify that the IBM i principal has been
added to the Kerberos server by completing the following steps:
- On your Windows server,
expand .
- Verify that the system has a user account by selecting
the appropriate Windows domain.
Note: This Windows domain should be the same as the
default realm name that you specified for the network authentication
service configuration.
- In the list of users that is displayed, find systema_1_krbsvr400. This is the user account generated
for the IBM i principal
name.
- Optional: Access the properties on
your Active Directory user. From the Delegation tab,
select Trust this user for delegation to any service (Kerberos
only).
Note: This optional step enables your system to
delegate or forward a user's credentials to other systems. As a result,
the IBM i service
principal can access services on multiple systems on behalf of the
user. This is useful in a multi-tier network.
Note: It is recommended that you now delete the NASConfig_systema.bat file
from your Windows server.