Scenario: Setting up cross-realm trust

Here are the prerequisites and objectives for setting up cross-realm trust on your network.

Situation

You are a security administrator for a large wholesale company. Currently you manage security for systems used by employees of the Order Receiving Department and the Shipping Department. You have configured a Kerberos server for the Order Receiving Department. You have configured network authentication service in the IBM® i environment in that department to point to that Kerberos server. The Shipping Department consists of an IBM i that has a Kerberos server configured in PASE for i. You have also configured network authentication service on this IBM i to point to the Kerberos server in PASE for i.

Because users in both realms need to use services stored on systems located in each department, you want both of the Kerberos servers in each department to authenticate users regardless of which Kerberos realm they are located in.

Objectives

In this scenario, MyCo, Inc. wants to establish a trust relationship between two existing Kerberos realms. One realm consists of a Windows server acting as the Kerberos server for the Order Receiving Department. This server authenticates users within that department to services located on an IBM i platform. The other realm consists of a Kerberos server configured in PASE for i on one IBM i platform, which provides services for the users within the Shipping Department. Your users need to be authenticated to services in both departments.

The objectives of this scenario are as follows:
  • To give clients and hosts on each network access to the other's network
  • To simplify authentication across networks
  • To allow ticket delegation for users and services in both networks

Details

Here is a detailed description of the environment that this scenario describes, including a figure that shows the topology and all major elements of that environment and how they relate to each other.

Cross realm trust diagram

Order Receiving Department

System A

  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • Network Authentication Enablement (5770-NAE)
  • Has network authentication service configured to participate in the realm ORDEPT.MYCO.COM. The IBM i principal, krbsrv400/systema.ordept.myco.com@ORDEPT.MYCO.COM, has been added to the Windows domain.
  • System A has the fully qualified host name of systema.ordept.myco.com.

Windows server

  • Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.
  • Has the DNS host name of kdc1.ordept.myco.com.
  • Each user within the Order Department has been defined in Microsoft Active Directory on the Windows server with a principal name and password.

Client PCs

  • Run Windows operating system.

Shipping Department

System B

  • Runs IBM i 5.4 with the following options and licensed programs installed:
    • PASE for i (5770-SS1 Option 33)
    • Network Authentication Enablement (5770-NAE)
  • Has a Kerberos server configured in PASE for i with the realm of SHIPDEPT.MYCO.COM.
  • Has network authentication service configured to participate in the realm SHIPDEPT.MYCO.COM. The IBM i principal, krbsrv400/systemb.shipdept.myco.com@SHIPDEPT.MYCO.COM, has been added to the PASE for i Kerberos server.
  • Both System B and the PASE for i Kerberos server share the fully qualified host name systemb.shipdept.myco.com.
  • Each user within the Shipping Department has been defined in the PASE for i Kerberos server with a principal name and password.

Client PCs

  • Run Windows operating system.

Prerequisites and assumptions

In this scenario, the following assumptions have been made to focus on the tasks that involve establishing a trust relationship between two pre-existing Kerberos realms.

System A prerequisites
  1. All system requirements, including software and operating system installation, have been verified.
    To verify that the required licensed programs have been installed, follow these steps:
    1. In IBM Navigator for i, expand IBM i Management > Configuration and Service > Software and select Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on System A.
  4. Network authentication service has been configured and tested.
  5. A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.
    Note: The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.
System B prerequisites
  1. All system requirements, including software and operating system installation, have been verified.
    To verify that the required licensed programs have been installed, follow these steps:
    1. In IBM Navigator for i, expand IBM i Management > Configuration and Service > Software and select Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on your system.
  4. Network authentication service has been configured and tested.
Windows server prerequisites
  1. All necessary hardware planning and setup have been completed.
  2. TCP/IP has been configured and tested on your server.
  3. Microsoft Active Directory has been configured and tested.
  4. Each user within the Order Department has been defined in Microsoft Active Directory with a principal name and password.

Configuration steps

To set up a trust relationship between two realms, complete these steps.