​You are in: IBM i Technology Updates  > Navigator for i > Security

Step 1: Apply the following minimum IBM i HTTP  PTF Group level to your IBM i

PTF Group level can be checked in Navigator from the PTF Groups interface:

NOTE:  SSO with IBM Navigator for i is NOT supported at IBM i 7.2 and earlier.

Step 2: Verify your IBM i server FQDN and Windows Server FQDN are configured in your IBM i local host table and DNS

Enter the following commands from a 5250 green screen to verify the host in your IBM i local host table and DNS.  The hostname is required to match in value between the IBM i HTTP service principal, IBM Navigator for i application configuration, and TCP/IP resolution.

CFGTCP Option 12
Record the value of Host and Domain.  host.domain = IBM i FQDN, (for example: as400.ibm.com)
F12
CFGTCP Option 10
Verify that the IBM i FQDN = host.name and Windows Server FQDN are listed in the IBM i local host table. The FQDNs are needed to put in the first place.
IP address    HostName
10.0.0.1         as400.ibm.com

9.12.34.3       windowsserver.test.com

F12
NSLOOKUP (Requires 5770SS1 Option 31 to be installed)
host.name (as400.ibm.com)
Return one IP address, <ipAddress> (for example: 10.0.0.1).
set type=ptr
<ipAddress> 
Returns one host, which matches the IBM i host.domain (for example as400.ibm.com).

Step 3: Configure Single Sign On (SSO) / Kerberos for your IBM i

For more information, seethe IBM Technical Document, "How to configure EIM and NAS using IBM Navigator for i".  This document provides detailed instructions on how to configure SSO/Kerberos on the IBM i.

NOTE: When configuring Network Authentication Service (NAS), ensure that the "HTTP Server powered by Apache" service is checked.  This setting creates the HTTP service principal.

Once SSO/Kerberos is successfully configured and is functioning on your IBM i, click "Next" to continue.

Step 4: Run the NASConfig Batch File

After NAS is configured, a batch file named NASConfig_hostname.bat is created under /QIBM/UserData/OS400/Navigator/config directory. Download this batch file and transfer it to your Microsoft Windows Active Directory server. Run the batch file as an Administrator. The following two service principals are displayed in the Users list of AD:

Right-click the HTTP service principal to select the Properties and change the Delegation tab to the third radio button.

Click the Add button to add the account to present delegated credentials.

From Qshell (STRQSH) on the IBM i green screen, test the HTTP service principal to verify that everything is working correctly between the IBM i and Active Directory.

Type the following to test:

$ kinit -k HTTP/host.domain@WINDOWSDOMAIN

$ kinit -k HTTP/as400.ibm.com@IBM.COM

$

If the IBM i can successfully authenticate and retrieve a Kerberos ticket from your Active Directory server, a '$' prompt is shown (without errors).  Any messages thrown indicate the error.  Refer to the IBM Technical document, "Enterprise Identity Mapping (EIM) and Network Authentication Services (NAS) Error Codes and Solutions", for more information on the error issued.

Step 5: Run the configureNav.sh script on the IBM i

From a 5250 command line, run the /qibm/proddata/os400/navigator/configureNav.sh script to update the IBM Navigator for i application's configuration with the Active Directory information serving as your Key Distribution Center for your IBM i. Only the user profile with high authority could run this shell file.

Confirm that you have configured TLS for your IBM i before running the configureNav.sh script.  If TLS is configured before configuring SSO, you need to create a backup (admin-cust.bak.xml) of the admin-cust.xml under /QIBM/UserData/OS/AdminInst/admin1/wlp/usr/servers/admin1/resources/security.

If you already configured IBM i Network Authentication Services, the /QIBM/ProdData/OS400/Navigator/configData file is generated. If you responded to have the Kerberos information read from the file, the configuration data is read.  Then, you are prompted for your HTTP or service principal password.  In our example, the password is the "Active Directory UT25BP22 user account password".  If a previous configuration of Network Authentication Services (NAS) cannot be found, the configureNav.sh script prompts you for all components of the configuration.
a. ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN1)
c. Run QSH command
d. cd /qibm/proddata/os400/navigator
e. configureNav.sh
f. Input the information required based on your current NAS and Active Directory configuration.

Example output where NAS is configured:
baseDN: dc=IBM,dc=COM
bindDN: CN=UT25BP22_2_HTTP,CN=users,DC=IBM,DC=COM
KDC name (hostname.domain): winkdc.ibm.com

Realm: IBM.COM 

IBM i service principal hostname: as400.ibm.com

servicePrincipalNames: HTTP/as400.ibm.com

Input the password you set for HTTP/ service principal: -->

myhttppassword    (Active Directory UT25BP22 user account password)

Which IBM Java™ version do you use? if Java 8, input 'y', if later than Java 8, input 'n'   

y                                                       
Do you want to write this information into admin-cust.xml? ['y' or 'n']
y
The admin-cust.xml is configured successfully.
$

If you need to clean up or delete this IBM Navigator for i Active Directory configuration, run the following commands from a 5250 session.

a. Run QSH command
b. cd /qibm/proddata/os400/navigator
c. configureNav.sh

d. Input r for the following question.

The admin-cust.xml is configured. Do you want to reconfigure it or remove the SSO configuration? Input 'y' to reconfigure, 'r' to remove and 'n' to cancel 

Step 6: Configure your web browser to use SSO/Kerberos

• Configure Mozilla Firefox to enable SPNEGO   [Mac and Windows instructions]

The following steps are available for the latest version of Firefox:

a. Open Mozilla Firefox.
b. In the Go location on a website field, specify "about:config"
c. In the "This might void your warranty!" window, select "I'll be careful, I promise!"
d. In the Filter field, specify network.n
e. In the list of preferences, select the network.negotiate-auth.delegation-uris preference
f. Double-click to modify the value.
g. Specify the name of your IBM i system in the input field. For example, specify:
            hostnameA,hostnameB,hostnameC
 (for example: as400.ibm.com,as4002.ibm.com,as4003.ibm.com)

h. Use a comma to separate each hostname.
i. Select OK.
j. Select the network.negotiate-auth.trusted-uris preference in the list of preferences.
k. Double-click to modify the value.
l. Specify the hostnames from step g in the input field.

• Configure Chrome and Microsoft Edge to enable SPNEGO [Windows instructions]

For Chrome only, continue here.  For Edge, skip ahead to the Microsoft Edge specific instructions. 

After you complete steps one and two above,  perform the following special steps for the latest version of Chrome

Chrome-specific finishing steps (shown using Windows 10 screenshots):
a. Open Microsoft Registry Editor by typing regedit.exe in "Run" window.
b. Google Chrome uses a few different policies to enable SPNEGO support.

• The AuthNegotiateDelegateAllowlist policy assigns servers that Google Chrome can delegate.
• The AuthServerAllowlist policy specifies which servers are allowed for integrated authentication.

c. The policies are stored in the Windows registry under HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome. If the key at the end of the path (Google or Chrome) does not exist, you can manually create it (Right-click -> New -> String Value). The Type of the policy is a String Value (REG_SZ).
d. Multiple servers are separated with commas.
e. Wildcards (*) are allowed in the names.
f.  The value of the policy would be the web domain being accessed.  (for example *.rch.stglabs.ibm.com)
g. Ensure both policies, AuthNegotiateDelegateAllowlist and AuthServerAllowlist are added.

You can confirm your browser policies by entering "chrome://policy" in the browser address bar and press ENTER.  The browser policies in blue are currently active and being used in the current browser session.

• Configure Microsoft Edge to enable SPNEGO (version 77 and later of the Edge browser)  [Windows instructions]

After you complete steps one and two in “Configure Chrome to enable SPNEGO”, perform the following special steps for Edge.

Edge-specific finishing steps (shown using Windows 10):

a. Open Microsoft Registry Editor by typing regedit.exe in "Run" window.
b. Microsoft Edge uses a few different policies to enable SPNEGO support.  IBM recommends both policies are added to your browser.  Adding both policies ensures the SPENGO support is enabled.

• The AuthNegotiateDelegateAllowlist policy specifies a list of servers that Microsoft Edge can delegate user credentials to.
• The AuthServerAllowlist policy configures a list of allowed authentication servers

c. The policies are stored in the Windows registry under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge. If the key at the end of the path (Edge) does not exist, you can manually create it (Right-click -> New -> String Value). The Type of the policy is a String Value (REG_SZ).
d. Multiple servers are separated with commas.
e. Wildcards (*) are allowed in the names.
f.  The value of the policy would be the web domain being accessed. (for example *.rch.stglabs.ibm.com).
g. Confirm both policies, AuthNegotiateDelegateAllowlist and AuthServerAllowlist are added.

Step 7: Restart ADMIN1 and test SSO access to the IBM Navigator for i

ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN1)

STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN1)

Open a web browser and try accessing the IBM Navigator for i URL to verify Single Sign On (SSO) / Kerberos authentication is working properly.

SSO URL: http://host.domain:2002/Navigator/

(for example http://as400.ibm.com:2002/Navigator/)

If the IBM Navigator for i opens up WITHOUT redirecting to the login page, this (lack of login page) verifies that SSO/Kerberos is working properly for the IBM Navigator for i.  SSO/Kerberos for the IBM Navigator for i is configured.

If you are still redirected to IBM Navigator for i login page, review the previous configuration steps to ensure they are correct. If you require further assistance, contact IBM Support using the telephone number, 1-800-IBM-SERV, or you can open an IBM Service Request here .

 If you want to use the username and password to log in, but get the previous Basic Authentication prompt, you need to do one of the following:

1. Use the full URL of http://host.domain:2002/Navigator/login  (not :2001 or just :2002/Navigator)
2. Go through the Internet Options Security Zone setup and select the Option 3 for User Authentication.