Kerberos compatibility information

You must take specific actions when using Kerberos authentication with databases on IBM® System z®, IBM i, and Windows systems.

IBM System z and IBM i compatibility

To connect to a database on an IBM System z or IBM i system, you must catalog the database by using the AUTHENTICATION and KERBEROS TARGET PRINCIPAL parameters of the CATALOG DATABASE command.

Neither IBM System z nor IBM i operating systems support the mutual authentication security feature of Kerberos.

Windows issues

When you are using Kerberos on Windows operating systems, be aware of the following issues:

  • Due to the manner in which Windows operating systems detect and report some errors, the following conditions result in a client security plug-in error.
    • Expired account
    • Invalid password
    • Expired password
    • Password change forced by administrator
    • Disabled account

    Furthermore, in all cases, the Db2® administration log or the db2diag log files contain Logon failed or Logon denied messages.

  • If a domain account name is also defined locally, connections explicitly specifying the domain name and password fail with the following error: The Local Security Authority cannot be contacted. The error is a result of the Windows operating system locating the local user first. The solution is to fully qualify the user in the connection string, for example name@DOMAIN.IBM.COM.
  • Windows accounts cannot include the at sign (@) character in their names because the Db2 Kerberos plug-in assumes that the character is the domain name separator.
  • If the client and server are both on the Windows operating system, you can start the Db2 service using the LocalSystem account. However, if the client and server are in different domains, the connection can fail with an invalid target principal name error. To avoid this error, explicitly catalog the target principal on the client with the CATALOG DATABASE command, using the fully qualified server host name and the fully qualified domain name. Use the following format: host/server hostname@server domain name. For example, host248/server34.toronto.ibm.com@TORONTO.IBM.COM. An alternative to using the LocalSystem account is to use a valid domain account.