Can anyone direct me to appropriate documentation regarding best practices for configuring RAA to use Windows domain authentication for users? DB2, RAA and WAS are installed on a Windows server using local Windows ids. It is not practical to add all users to the local server, so I want to authenticate them using their normal domain ids. All users are defined to a domain global group which is included in a server local group. I tried a few variations on configuration, but I have not found one that works reliably.
Any suggestions would be much appreciated.
Pinned topic RAA authentication using DB2 against Windows domain
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-12-07T22:08:26Z at 2012-12-07T22:08:26Z by dowdsp
dowdsp 1000006U2817 Posts
Re: RAA authentication using DB2 against Windows domain2012-12-07T22:08:26ZThis is the accepted answer. This is the accepted answer.Hi Dave,
There's really not a particular RAA-preferred way to implement domain authentication for RAA users. In my experience, if DB2 and Windows are happy, then RAA is happy. To be more specific, you'd need to follow the guidelines for Windows security and how it affects DB2 as documented in the DB2 Information Center. Here's a high-level link:
But as to more specific ideas, especially for a domain group that's been added to a local server group, I've previously had customers make breakthroughs in their configuration of getting a group of domain users to be able to access RAA correctly by the correct settings of the DB2_GRP_LOOKUP parameter, as documented here:
and note that you may want to try not only something like:
but also something like this if the above doesn't work:
depending on your setup.
One final recommendation that I've seen given in at least one case was that, if the DB2 service on Windows is running under an account other than the local system account, you could try configuring it (DB2-0 service, e.g. DB2 - DB2COPY1 - DB2-0) to log on with the local system account .\LocalSystem .
Hope that helps a bit...