Configure single sign-on authentication on AIX


Why would single sign-on (SSO) be an advantage to your system? The main advantage is that if the user's credentials are stored centrally, he can just authenticate once to the server and start using the resources across all the systems. The users do not have to authenticate to each individual client in order to access the resources.

SSO can also improve the productivity of network users, reduce the cost of network operations, and improve network security.

Figure 1. SSO authentication on AIX®
SSO authentication on     AIX
SSO authentication on AIX

Figure 1 show how SSO authentication works when AIX is configured to a centralized authentication server like the Microsoft® Windows® Active Directory server.

When the user logs on as AIX client1 using SSH/telnet, the user is prompted to enter the password. The user password is sent to the centralized server to prove the user's identifications. Once the user's identification is verified, it issues the service ticket to the user. The user can use the same service ticket for accessing other AIX client systems without having to re-enter the password.

See the Related topics section for information on configuring Kerberized open SSH on AIX.

Advantages of the SSO authentication mechanism

SSO provides many benefits such as:

  • Single sign-on uses the centralized server for authentication, so the same credentials can be used for accessing any of the client systems.
  • SSO reduces the time spent on re-entering the usernames and password for the same user.
  • SSO reduces the network traffic to the centralized server.
  • SSO uses the same authentication method for all users and all applications to prove their identity.
  • SSO reduces operational cost and time to access data.
  • Users do not have to remember too many passwords.


This article covers how to configure an AIX Kerberos client with Microsoft Windows Active Directory server as the Kerberos Key Distribution Center (KDC), and how to implement the single sign-on authentication mechanism between various AIX Kerberos clients.

Configuring a Microsoft Active Directory server

Refer to the Related topics section for documentation to configure Microsoft Active Directory server on Windows 2003.

Also make sure that the KDC is up and running. This can be verified from the services window. (Programs -> Administrative tools -> Services). If the Kerberos KDC is not running, then right click and choose the Start option to start the KDC server.

Configuring an AIX Kerberos client with Microsoft Active Directory server

Install the Kerberos filesets on an AIX client system using the smit or installp command. These filesets are available on AIX expansion CDs or they can be downloaded (See the Related topics section for download information).

#lslpp –l | grep krb5
krb5.client.rte             COMMITTED  Network Authentication Service
krb5.client.samples    COMMITTED  Network Authentication Service
krb5.msg.en_US.client.rte  COMMITTED  Network Auth Service Client

Make sure that the Microsoft Active Directory server is accessible from the AIX clients. Then follow these steps to configure AIX Kerberos client against the Microsoft Active directory server.

  1. If the Kerberos client is configured previously on an AIX client, run the following command. If it is not, skip this step.
     Warning: All configuration information will be removed.
     Do you wish to continue? [y/n]
     Removing configuration...
     The command completed successfully
  2. Configure the AIX Kerberos client using the config.krb5 command. Here Microsoft Active Directory 2003 is chosen as the Kerberos server. The following options need to be used with the config.krb5 command.
    • -r realm = Windows 2003 Active Directory server domain name
    • -d domain = Domain name of the machine hosting the Windows 2003 Active Directory server
    • -c KDC = Host name of the Windows 2003 server
    • -s server = Host name of the Windows 2003 server
    #config.krb5 -C -r ZTRANS.IBM.COM -d -c 
    Initializing configuration...
    Creating /etc/krb5/krb5_cfg_type... 
    Creating /etc/krb5/krb5.conf... 
    The command completed successfully.
  3. Microsoft Windows Active Directory server does not support all of the encryption mechanisms. Make the following changes to /etc/krb5/krb5.conf file to support the ticket encryption algorithm.

    Edit the file to look as follows:

            default_tkt_enctypes = des-cbc-crc des-cbc-md5 
            default_tgs_enctypes = des-cbc-crc  des-cbc-md5
  4. Add the following entry to the "/usr/lib/security/methods.cfg" file:
                            program = /usr/lib/security/KRB5A 
                            options = authonly
          options = db=BUILTIN,auth=KRB5A
  5. On the Microsoft Windows 2003 Active Directory, create a user name for the AIX client with AIX hostname.

    For example, in this case the AIX client's hostname is So create a user on the Windows Active Directory as indus52. While creating the user, it prompts for the user's password. Provide a valid password for the user.

  6. On the Microsoft Active Directory Server, run the ktpass command to generate the keytab file for the AIX client.

    By default, the ktpass command will not be installed on the Windows 2003 server. This command can be installed from the Windows 2003 CD under the "support tools" directory.

    ktpass –princ host/  -mapuser indus52 
         -pass admin –kvno 3 -out indus52.keytab

    Note that in the case of Windows 2003, ktpass by default generates KVNO (key version number) to 1. When the AIX client tries to connect to the AD, AD 2003 always returns three, which doesn't match the KVNO requirement in the keytab file. Generate the keytab file with KVNO 3 by providing the -kvno 3 option.

    Copy this keytab (indus52.keytab) file to the AIX Kerberos client ( in binary mode.

  7. Merge the copied file into the /etc/krb5/krb5.keytab file using the ktutil command.
    $ ktutil
      ktutil: rkt indus52.keytab
      ktutil: wkt /etc/krb5/krb5.keytab
      ktutil: q

    Use the list command on ktutil to see the values of the keytab:

    Ktutil: list
    Slot     KVNO     Principal
    ------   -----------    -----------------------------------------------
    1          3                  host/
  8. Create a user on the AIX client that corresponds to the Windows 2003 user account.

    Make sure that user attributes are configured properly on the AIX Kerberos client for the user to authenticate against the AIX client.

  9. Use kinit to check if the user is being authenticated against the Kerberos server.
     # ./usr/krb5/bin/kinit test                                      
    Password for test@ZTRANS.IBM.COM:                                                  
  10. Verify that the newly created user is able to log in to AIX client using ssh/telnet.

Implementing SSO authentication on AIX

Make sure that the AIX Kerberos client is successfully configured to the Windows Active Directory server and verify that the users are able to log in successfully using the ssh/telnet protocol.

Follow these steps for implementing SSO on AIX. These steps are the same when AIX is configured as the client for the AIX Kerberos LDAP server.

  1. Enable the authentication method on AIX systems using the chauthent command. The chauthent command sets the desired authentication method based on the flags the user sets. By default, the AIX system is configured with the standard AIX authentication mechanism. Configure the Kerberos authentication mechanism on the system using the chauthent command as follows:
    #chauthent –k5 –std

    The lsauthent command lists the authentication method that was configured on the system:

    Kerberos 5
    Standard AIX
  2. Log in with a test user using telnet/SSH and generate a forwardable ticket for a Kerberos user using the /usr/krb5/bin/kinit command:
    #/usr/krb5/bin/kinit –f test
    Password for test@ZTRANS.IBM.COM:

    The kinit command generates a forwardable ticket for the test user. The attributes of the ticket can be listed using the klist command with the -f option:

    #/usr/krb5/bin/klist -f
    Ticket cache: /tmp/krb5cc_320
    Default principal: test@ZTRANS.IBM.COM
    Valid starting      Expires             Service principal
    31/03/08 19:06:25  31/03/00 19:16:25  krbtgt/ZTRANS.IBM.COM@ZTRANS.IBM.COM
            Flags: FRIA

    The flag's attributes are:

    • F – Forwardable
    • R – Renewable
    • I - Initial
    • A – PreAuthenticated

    Users can use this forwardable ticket to do a telnet/SSH log n to different AIX clients without providing the password.

    The telnet command can be used as follows on the system:

    # telnet –F –l test

Downloadable resources

Related topics

Zone=AIX and UNIX
ArticleTitle=Configure single sign-on authentication on AIX