Scenario: Configuring network authentication service

Here are the prerequisites and objectives of adding network authentication service to your network.

Situation

You are a network administrator that manages the network for the order receiving department in your company. You recently added an IBM® i to your network to contain several applications for your department. In your network, you manage users with Microsoft Active Directory on a Microsoft Windows server. Currently all of your users have workstations that run Microsoft Windows operating system. You have your own Kerberos-enabled applications that use Generic Security Services (GSS) APIs.

This scenario has the following advantages:

  • Simplifies authentication process for users
  • Eases the overhead of managing access to systems in the network
  • Minimizes threat of password theft

Objectives

In this scenario, MyCo, Inc. wants to add an IBM i to an existing realm where a Windows server acts as the Kerberos server. The IBM i platform contains several business critical applications that need to be accessed by the correct users. Users need to be authenticated by the Kerberos server to gain access to these applications.

The objectives of this scenario are as follows:

  • To allow the IBM i platform to participate with an existing Kerberos server
  • To allow for both principal names and user names in the network
  • To allow Kerberos users to change their own passwords on the Kerberos server

Details

The following figure illustrates the network characteristics of MyCo.

Diagram of network for Network authentication service configuration

System A

  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • Qshell Interpreter (5770-SS1 Option 30)
    • Network Authentication Enablement (5770-NAE)
  • The principal name of System A is krbsvr400/systema.myco.com@MYCO.COM.

Windows server

  • Acts as the Kerberos server for the MYCO.COM realm.
  • The fully qualified host name of the Kerberos server is kdc1.myco.com.

Client PCs

  • Run Windows.

Prerequisites and assumptions

  1. All system requirements, including software and operating system installation, have been verified.
    To verify that the required licensed programs have been installed, follow these steps:
    1. In IBM Navigator for i, expand IBM i Management > Configuration and Service > Software and select Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on each of these servers.
  4. A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.
    Note: The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.

Configuration steps

To configure network authentication service on your system, complete these steps.