Enabling QNTC file system for Network Authentication Service

The QNTC file system enables IBM i platform access to Common Integrated File System (CIFS) servers that support the Kerberos V5 authentication protocol.

Rather than using a LAN manager type password to authenticate with each server, a properly configured IBM i platform will now be able to access supported CIFS servers with a single logon transaction.

To enable the Network Authentication Service (NAS) for use with QNTC, you must configure these items:

  • Network Authentication Service (NAS)
  • Enterprise Identity Mapping (EIM)

Once the above items have been configured, you can then enable a user to use NAS with the QNTC file system. The following steps are needed to allow a user to take advantage of the QNTC NAS support.

  • The user's IBM i user profile must have the local password management (LCLPWDMGT) parameter set to *NO. By specifying *NO, the user does not have a password to the server and cannot sign on to a 5250 session. The only access to the server is through NAS-enabled applications, such as IBM Navigator for i or IBM i Access 5250 Display Emulator.

    If the user specifies *YES, the password is managed by the server and the user is authenticated without NAS.

  • You must have a Kerberos ticket and IBM Navigator for i connection.
  • The Kerberos ticket for the IBM i platform you are using must be forwardable. To make a ticket forwardable, follow these steps:
    1. Access the Active Directory Users and Computers tool on the KDC for your NAS realm.
    2. Select users.
    3. Select the name that corresponds to the service principal name.
    4. Select Properties.
    5. Select the Account tab.
    6. Select Account is trusted for delegation.