Here are the steps for adding principals
for endpoint systems.
- System B steps
- On your Windows server,
expand .
- Select MYCO.COM as the domain
and expand .
Note: This Windows domain should be the same as the
default realm name that you specified for the network authentication
service configuration.
- In the Name field,
enter systemb to identify the IBM® i platform to this Windows domain. This adds a new user account
for System B.
- Access the properties on the Active Directory
user systemb. From the Delegation tab, select Trust
this user for delegation to any service (Kerberos only).
This allows the IBM i service
principal to access other services on behalf of a signed-in user.
- On the Windows server, you need to map the
user account you just created to the IBM i service principal
by using the ktpass command. At a Windows command prompt, enter the following
command:
ktpass -mapuser systemb
-pass systema123 -princ krbsvr400/systemb.myco.com@MYCO.COM -mapop
set
- System C steps
- On your Windows server,
expand .
- Select MYCO.COM as the domain
and expand .
Note: This Windows domain should be the same as the
default realm name that you specified for the network authentication
service configuration.
- In the Name field,
enter systemc to identify the IBM i platform to this Windows domain. This adds a new user account
for System C.
- Access the properties on the Active Directory
user systemc. From the Delegation tab, select Trust
this user for delegation to any service (Kerberos only).
This allows the IBM i service
principal to access other services on behalf of a signed-in user.
- On the Windows server, you need to map the
user account you just created to the IBM i service principal
by using the ktpass command. At a Windows command prompt, enter the following
command:
ktpass -mapuser systemc
-pass systema123 -princ krbsvr400/systemc.myco.com@MYCO.COM -mapop
set
You have completed the propagation of the network authentication
service configuration to multiple systems. To configure the Management
Central server to take advantage of network authentication service,
you need to perform some additional tasks. See
Scenario: Using Kerberos authentication between Management Central servers for details.