Adding the principals for endpoint systems to the Windows domain

Here are the steps for adding principals for endpoint systems.

  1. System B steps
    1. On your Windows server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
    3. In the Name field, enter systemb to identify the IBM® i platform to this Windows domain. This adds a new user account for System B.
    4. Access the properties on the Active Directory user systemb. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only). This allows the IBM i service principal to access other services on behalf of a signed-in user.
    5. On the Windows server, you need to map the user account you just created to the IBM i service principal by using the ktpass command. At a Windows command prompt, enter the following command:

      ktpass -mapuser systemb -pass systema123 -princ krbsvr400/systemb.myco.com@MYCO.COM -mapop set

  2. System C steps
    1. On your Windows server, expand Administrative Tools > Active Directory Users and Computers.
    2. Select MYCO.COM as the domain and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
    3. In the Name field, enter systemc to identify the IBM i platform to this Windows domain. This adds a new user account for System C.
    4. Access the properties on the Active Directory user systemc. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only). This allows the IBM i service principal to access other services on behalf of a signed-in user.
    5. On the Windows server, you need to map the user account you just created to the IBM i service principal by using the ktpass command. At a Windows command prompt, enter the following command:

      ktpass -mapuser systemc -pass systema123 -princ krbsvr400/systemc.myco.com@MYCO.COM -mapop set

You have completed the propagation of the network authentication service configuration to multiple systems. To configure the Management Central server to take advantage of network authentication service, you need to perform some additional tasks. See Scenario: Using Kerberos authentication between Management Central servers for details.