Scenario: Setting up cross-realm trust
Here are the prerequisites and objectives for setting up cross-realm trust on your network.
Situation
You are a security administrator for a large wholesale company. Currently you manage security for systems used by employees of the Order Receiving Department and the Shipping Department. You have configured a Kerberos server for the Order Receiving Department. You have configured network authentication service in the IBM® i environment in that department to point to that Kerberos server. The Shipping Department consists of an IBM i that has a Kerberos server configured in PASE for i. You have also configured network authentication service on this IBM i to point to the Kerberos server in PASE for i.
Because users in both realms need to use services stored on systems located in each department, you want both of the Kerberos servers in each department to authenticate users regardless of which Kerberos realm they are located in.
Objectives
In this scenario, MyCo, Inc. wants to establish a trust relationship between two existing Kerberos realms. One realm consists of a Windows server acting as the Kerberos server for the Order Receiving Department. This server authenticates users within that department to services located on an IBM i platform. The other realm consists of a Kerberos server configured in PASE for i on one IBM i platform, which provides services for the users within the Shipping Department. Your users need to be authenticated to services in both departments.
- To give clients and hosts on each network access to the other's network
- To simplify authentication across networks
- To allow ticket delegation for users and services in both networks
Details
Here is a detailed description of the environment that this scenario describes, including a figure that shows the topology and all major elements of that environment and how they relate to each other.
Order Receiving Department
System A
- Runs IBM i 5.4,
or later, with the following options and licensed programs installed:
- IBM i Host Servers (5770-SS1 Option 12)
- Network Authentication Enablement (5770-NAE)
- Has network authentication service configured to participate in the realm ORDEPT.MYCO.COM. The IBM i principal, krbsrv400/systema.ordept.myco.com@ORDEPT.MYCO.COM, has been added to the Windows domain.
- System A has the fully qualified host name of systema.ordept.myco.com.
Windows server
- Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.
- Has the DNS host name of kdc1.ordept.myco.com.
- Each user within the Order Department has been defined in Microsoft Active Directory on the Windows server with a principal name and password.
Client PCs
- Run Windows operating system.
Shipping Department
System B
- Runs IBM i 5.4
with the following options and licensed programs installed:
- PASE for i (5770-SS1 Option 33)
- Network Authentication Enablement (5770-NAE)
- Has a Kerberos server configured in PASE for i with the realm of SHIPDEPT.MYCO.COM.
- Has network authentication service configured to participate in the realm SHIPDEPT.MYCO.COM. The IBM i principal, krbsrv400/systemb.shipdept.myco.com@SHIPDEPT.MYCO.COM, has been added to the PASE for i Kerberos server.
- Both System B and the PASE for i Kerberos server share the fully qualified host name systemb.shipdept.myco.com.
- Each user within the Shipping Department has been defined in the PASE for i Kerberos server with a principal name and password.
Client PCs
- Run Windows operating system.
Prerequisites and assumptions
In this scenario, the following assumptions have been made to focus on the tasks that involve establishing a trust relationship between two pre-existing Kerberos realms.
- All system requirements, including software and operating system
installation, have been verified.To verify that the required licensed programs have been installed, follow these steps:
- In IBM Navigator for i, expand and select Installed Products.
- Ensure that all the necessary licensed programs are installed.
- All necessary hardware planning and setup have been completed.
- TCP/IP and basic system security have been configured and tested on System A.
- Network authentication service has been configured and tested.
- A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.Note: The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.
- All system requirements, including software and operating system
installation, have been verified.To verify that the required licensed programs have been installed, follow these steps:
- In IBM Navigator for i, expand and select Installed Products.
- Ensure that all the necessary licensed programs are installed.
- All necessary hardware planning and setup have been completed.
- TCP/IP and basic system security have been configured and tested on your system.
- Network authentication service has been configured and tested.
- All necessary hardware planning and setup have been completed.
- TCP/IP has been configured and tested on your server.
- Microsoft Active Directory has been configured and tested.
- Each user within the Order Department has been defined in Microsoft Active Directory with a principal name and password.
Configuration steps
To set up a trust relationship between two realms, complete these steps.