IBM Support

IBM i Single Sign-on Configuration Planning Worksheets



This document provides single sign-on prerequisites and configuration planning worksheets.

Resolving The Problem

Single Sign-on Configuration Planning Worksheets

Before you attempt to configure single sign-on, plan your overall single sign-on implementation. Use the following worksheets to ensure that you meet all of the prerequisites.

  • Single Sign-on prerequisite worksheet
  • Single Sign-on configuration planning worksheets

Single Sign-on Prerequisite Worksheet

This worksheet is provided to help ensure that you meet all prerequisites for implementing single sign-on. To ensure a successful implementation, you need to answer Yes to all prerequisite items in the following worksheet.  Gather all the information necessary to complete the worksheets before you perform any configuration tasks.

Questions Answers
Are the following options and licensed products installed on your IBM i server?
  • Host Servers (5770SS1 Option 12)
  • Network Authentication Enablement (5770NAE)
  • Qshell Interpreter (5770SS1 Option 30)
Are you using i Access for Windows®? If so, is the current i Access for Windows® service pack installed? Refer to the IBM i Accesslink outside the Information Center website for the latest service pack.

Note: IBM does not plan to support IBM i Access for Windows® on operating systems beyond Windows® 8.1*. The replacement product is IBM i Access Client Solutions. i Access for Windows® is no longer provided with OS releases beyond v7r1.
If you are on OS version v7r1 or later, are the server products 5770DG1 (HTTP Server), 5761JV1 or 5770JV1 (Java®**) options 12-17 installed?
*IBM Navigator for i requires a 64-bit JDK (Java® Developer Kit).
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities?
Do you have one of the following systems acting as the Kerberos server (also known as the KDC)? If yes, specify which system you have:
  • Microsoft® Windows® Server 2003, 2008, 2012, 2016*
  • PASE
  • IBM AIX server
  • IBM zSeries

Note: All Microsoft Windows Server®* versions use Kerberos authentication as its default security mechanism.
Are all of the PCs in your network configured in a Windows®* domain?
Have you applied the latest cumulative and group program temporary fixes (PTFs)?
Is the IBM i system time within 5 minutes of the system time on the Kerberos server? If not, refer to Synchronize system times at the following websites:

IBM i 720:

IBM i 540:

Single Sign-on Configuration Planning Worksheets

The configuration planning worksheets are designed to help you prepare for the steps you will go through in the Network Authentication Services (NAS) and Enterprise Identity Mapping (EIM) wizards.

Network Authentication Services (NAS):

Questions Answers
What is the name of the Kerberos default realm to which your System i will belong?

Note: A Windows® domain is similar to a Kerberos realm. Microsoft® Active Directory® uses Kerberos authentication as its default security mechanism.
What is the KDC for this Kerberos default realm?

Note: KDC = Key Distribution Center. This is the server that generates the Kerberos tickets. In most cases this will be the primary Microsoft Active Directory server name.
What is the KDC's fully qualified host name? (
What is the port on which the KDC listens for Kerberos traffic? (default is 88)
For which services do you want to create keytab entries?
  • IBM OS/400 Kerberos Authentication (Telnet and 5250 sessions)
  • LDAP
  • IBM i HTTP Server
  • IBM i NetServer
  • NFS
  • FTP
What is the password for your service principal or principals? (you will generate this during the wizard steps)
Do you want to create a batch file to automate adding the service principals for System A to the Kerberos registry? (Recommended)
Do you want to include passwords with the IBM i service principals in the batch file?

Note: Passwords must match between the KDC and the IBM i Keytab entries. These are case-sensitive. If the password is not included in the batch file, you will need to manually type it in for each principal added when the batch file is run on the KDC.

Enterprise Identity Mapping:

A quick note about the term "EIM domain"; An EIM domain is not a network domain and will not interfere with any existing network domains (such as a Windows® domain). It is a self-contained repository for all EIM data and is stored within LDAP only on the IBM i server.

Questions Answers
Are you creating a new EIM domain or joining an existing one?

Note: You must have already created an EIM domain on another LPAR or IBM i server in order to use the "Join an existing EIM domain" option.
Who will be the EIM administrator?

Note: The EIM administrator can be an LDAP distinguished name (the default is cn=administrator) or a user profile. If a user profile is used, you must take into consideration the amount of authority needed and possible password expiration concerns.
What will the administrator password be? (If using the default of cn=administrator, this must match the cn=administrator password configured in the LDAP server properties.)
What is the name of the EIM domain that you want to create? (The wizard sets the default name to "EIM")
Do you want to specify a parent DN for the EIM domain? (Knowledge of LDAP is highly recommended if you answer yes to this)

Continue with the single sign-on setup based upon the above values.

* Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

** Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number


Product Synonym


Document Information

Modified date:
18 December 2019