Adding both IBM i service principals to the Kerberos server

You can use one of two methods to add the necessary IBM i service principals to the Kerberos server.

You can manually add the service principals or, as this scenario illustrates, you can use a batch file to add them. You created these batch files in step 4.f and step 4.f. To use these files, you can use the download function in IBM i Access Client Solutions (ACS) to copy the file to the Kerberos server and run them.

Follow these steps to use the batch files to add principal names to the Kerberos server:

Download the batch file created by the wizard to your Kerberos server.

As the administrator on your Windows server do the following:
  1. Using ACS for System A, select Actions > General > Integrated File System.
  2. Log in with your user ID and password.
  3. In the Directory field, enter the directory in which the configuration file was saved, /QIBM/UserData/OS400/Navigator/config, and press Enter.
  4. Select NASConfig_systema.bat, Right-click NASConfig_systema.bat and select Download
  5. In the Download box, click Okay
  6. Enter your user ID and password.
  7. The downloaded file will be put in your downloads directory.
    Note: It is recommended that you now delete the NASConfig_systema.bat file from System A.
  8. Repeat these steps for System B to download NASConfig_systemb.bat to theWindows server.
Run both batch files on kdc1.myco.com
  1. On your Windows server, open the directory where you downloaded the batch files.
  2. Find the NASConfig_systema.bat file and double click the file to run it.
  3. Repeat these steps for NASConfig_systemb.bat.
  4. After each file runs, verify that the IBM i principal has been added to the Kerberos server by completing the following:
    1. On your Windows server, expand Start > Windows Administrative Tools > Active Directory Users and Computers > Users.
    2. Verify the IBM i has a user account by selecting the appropriate Windows domain.
      Note: This Windows domain should be the same as the default realm name that you specified in the network authentication service configuration.
    3. In the list of users that is displayed, find systema_1_krbsvr400 and systemb_1_krbsvr400. These are the user accounts generated for the IBM i principal name.
    4. (Optional) Access the properties on your Active Directory user. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
      Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.

Now that you have added the IBM i service principals to the Kerberos server, you can create user profiles on the IBM i.