Troubleshooting
Problem
The default configuration for Single Sign-On for the IBM i is to add user accounts on Active Directory. This can result in many accounts, each with a password assigned and therefore adding to administration of these accounts by Windows administrators. This document includes a method on how to have multiple service principals attached to one account with no password assigned to it.
Resolving The Problem
The default configuration for Single Sign-On for the IBM i is to add user accounts on active directory. This can result in many accounts, each with a password assigned and therefore adding to administration of these accounts by Windows administrators. This document includes a method on how to have multiple service principals attached to one account with no password assigned to it.
One method to have multiple service principals attached to one account with no password assigned is to use a computer account instead of a user account. To add these principles, you should follow the steps below:
One method to have multiple service principals attached to one account with no password assigned is to use a computer account instead of a user account. To add these principles, you should follow the steps below:
| 1. | After the EIM and NAS configuration have been completed, do not run the batch file that was created on the Active directory server; instead, rename the krb5.keytab file located in the following: /QIBM/UserData/OS400/NetworkAuthentication/keytab/ This will be replaced on the last step. |
| 2. |
On the active directory server, create a computer account with the name of the System i and run the command ktpass as follows:
 Replace:
systemi.mycompany.com = The fully qualfied name of the IBM i from CFGTCP opt. 12 (Host Name + Domain Name) MYCOMPANY.COM = Replace with the Active Directory Realm name
systemi = Replace with the computer account host name
password = Replace with the password you would like the mapped Service Principal Name to have in the keytab list
ktpass -out c:\krb5.keytab -princ krbsvr400/systemi.mycompany.com@MYCOMPANY.COM -pass password -mapuser systemi$@mycompany.com -mapop set +answer -crypto All -ptype KRB5_NT_PRINCIPAL /kvno 2 -setupn NOTE: Each additional service principal can be added like the examples below. Notice the -in parameter has been added and -mapop is add. For additional assistance with the ktpass command, you should contact Microsoft support. The -mappuser option should be the computer account added in Step 1, and it needs the $ before the @ sign. Examples: ktpass -in c:\krb5.keytab -out c:\krb5.keytab -princ HOST/systemi.mycompany.com@MYCOMPANY.COM -pass password -mapuser systemi$@mycompany.com -mapop add +answer -crypto All -ptype KRB5_NT_PRINCIPAL /kvno 2 -setupn ktpass -in c:\krb5.keytab -out c:\krb5.keytab -princ cifs/systemi.mycompany.com@MYCOMPANY.COM -pass password -mapuser systemi$@mycompany.com -mapop add +answer -crypto All -ptype KRB5_NT_PRINCIPAL /kvno 2 -setupn |
| 3. | Once all the principals have been added, you should FTP the c:\krb5.keytab file in binary to the i5 located in the following: /QIBM/UserData/OS400/NetworkAuthentication/keytab/ |
| 4. | Connect with a session using Kerberos. Note: kinit -k will not work for testing because this is a computer account. If the connection fails, you should contact IBM Support. |
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGrAAM","label":"Single Sign On"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
636975959
Was this topic helpful?
Document Information
More support for:
IBM i
Component:
Single Sign On
Software version:
All Versions
Operating system(s):
IBM i
Document number:
684351
Modified date:
07 March 2025
UID
nas8N1010920
Manage My Notification Subscriptions