Adding System A principal to the Kerberos server

You can manually add the IBM® i service principal to the Kerberos server. As this scenario illustrates, you can also use the batch file you created in step 6 to add the principal.

To use the batch file, you can use the download function in IBM i Access Client Solutions (ACS) to copy the file to the Kerberos server and run it. Follow these steps to use the batch file to add the principal to the Kerberos server:
  1. Download the batch file created by the wizard to your Kerberos server.
    1. As the administrator on your Windows server do the following:
      1. Using ACS for System A, select Actions > General > Integrated File System.
      2. Log in with your user ID and password.
      3. In the Directory field, enter the directory in which the configuration file was saved, /QIBM/UserData/OS400/iSeriesNavigator/config, and press Enter.
      4. Select NASConfig_systema.bat, Right-click NASConfig_systema.bat and select Download
      5. In the Download box, click Okay
      6. Enter your user ID and password.
      7. The downloaded file will be put in your downloads directory.
        Note: It is recommended that you now delete the NASConfig_systema.bat file from System A.
  2. Run batch file on
    1. On your Windows server, open the folder where you downloaded the batch file.
    2. Find the NASConfig_systema.bat file and double-click the file to run it.
    3. After the file runs, verify that the IBM i principal has been added to the Kerberos server by completing the following steps:
      1. On your Windows server, expand Start > Windows Administrative Tools > Active Directory Users and Computers > Users.
      2. Verify that the system has a user account by selecting the appropriate Windows domain.
        Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
      3. In the list of users that is displayed, find systema_1_krbsvr400. This is the user account generated for the IBM i principal name.
      4. Optional: Access the properties on your Active Directory user. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
        Note: This optional step enables your system to delegate or forward a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
      Note: It is recommended that you now delete the NASConfig_systema.bat file from your Windows server.