Testing network authentication service configuration

To test the network authentication service configuration, request a ticket-granting ticket for your IBM® i principal.

After you have created the home directories for each user that will connect to the IBM i applications, you can test the network authentication service configuration by requesting a ticket-granting ticket for your IBM i principal. Before requesting a ticket, you should ensure that these common errors are fixed:
  • Do you have all the prerequisites for network authentication service?
  • Does a home directory exist on the IBM i operating system for the user who issues the ticket request? See Creating a home directory for details.
  • Do you have the correct password for the IBM i principal? This password was created during network authentication configuration and should be specified in your planning worksheets.
  • Have you added the IBM i principal to the Kerberos server? See Adding IBM i principals to the Kerberos server for details.
To test network authentication service, complete the following steps:
  1. On a command line, enter QSH to start the Qshell Interpreter.
  2. Enter keytab list to display a list of principals registered in the keytab file.
    The following results should display:
    Principal: krbsvr400/systema.myco.com@MYCO.COM      
      Key version: 1                                                       
      Key type: 256-bit AES                            
      Entry timestamp: 20XX/05/29-11:02:58                                 
  3. Enter kinit -k krbsvr400/fully qualified host name@REALM NAME to request a ticket-granting ticket from the Kerberos server.
    For example, krbsvr400/systema.myco.com@MYCO.COM might be a valid principal name for the system.
    This command verifies that your system has been configured properly and the password in the keytab file matches the password stored on the Kerberos server. If this is successful, the QSH command displays without errors.
  4. Enter klist to verify that the default principal is krbsvr400/fully qualified host name@REALM NAME.
    This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the IBM i service principal and placed within the credentials cache on the system.
     Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
     Default principal: krbsvr400/systema.myco.com@MYCO.COM  
    Server: krbtgt/MYCO.COM@MYCO.COM              
      Valid 20XX/06/09-12:08:45 to 20XX/11/05-03:08:45                          

What do I do next:

Configuring Enterprise Identity Mapping

This task is optional if you are using network authentication service with your own applications. However, this task is recommended for use with IBM-supplied applications to create a single sign-on environment.