IBM i2 iBase User Logon as in an SSO Environment

Answer

The following guide assumes that you are implementing iBase single sign on using Active Directory in a domain environment, and that you understand at least in some way how SSO works in iBase.

It also requires you to have sufficient active directory knowledge to add a new user to your active directory domain, so you will either need appropriate permissions to do so, or to work with someone in your organisation to do this.

• First create a new user in active directory. Give them a sensible name such as iBaseLogonAs or iBaseFake and give them a password you can remember that complies with your organisations password policies. Make sure the user is also listed as a domain user, and not a member of any groups which would allow him to automatically be signed into iBase.
  
• You may need to give this new user the appropriate user permissions to both connect to the database and see the location that you store your ids / idb files for iBase.
• When you have made your user in active directory, switch to your own user account on your machine you would normally connect to iBase with.
• Right click the desktop and select New -> Shortcut.
• When the Create Shortcut wizard appears, enter the following string for the location of the item:
• C:\Windows\System32\runas.exe /savecred /user:YourAD\iBaseFake "C:\Program Files (x86)\i2 iBase 8\iBase.exe"
• For the above string, you will need to change YourAD to the AD which you made the new user a part of.
• You may also need to change the paths to both the runas and iBase executables to match up to your own installation, if different from a standard Windows installation.
  
• Give the shortcut a sensible name such as iBase Login As and click Finish to create the shortcut.
• Now open the shortcut
• A command prompt will appear and you will be prompted for your users new password.
• Important Note: The first time you run the shortcut, you will be prompted to enter your newly created users password. When doing so, you will not be able to see what characters you are entering, so enter the password carefully.
• The /savecred command in the shortcut will mean that you will not have to enter that users password in the future. (Note that should you need to re-enter this password, due to expiry etc, alter the shortcut to remove the /savecred line and you should be prompted to enter it again. Then once you have entered it once, place the /savecred command back in the command).
• 
• Enter the password for the user listed, and wait for the runas dialog to finish. When it is done the command prompt window will disappear and iBase will launch.
• When iBase loads, open the database ids file. (Again you will need you will need your user to have file access to where the files you use to connect to iBase are stored to open the database).
  
• You should find that as iBase is unable to find your newly created user in any groups that allow them access to iBase the iBase security logon box is displayed.
  
• Enter a user that you wish to logon as other than your normal account. For example, if you are an analyst enter the SYSADMIN details here instead.
• Open the idb file of the database you wish to open.
  
• As long as you have followed the instructions correctly, you should have the appropriate functions for the user you just logged in as, rather than your own. So for example if before hand you did not have access to a higher level function such as purge and restore deleted records, after logging in as a SYSADMIN you should now be able to see those functions.
  
• Now close down iBase
• Once iBase has closed open the shortcut again and you should find that this time you are not prompted for the password for your new user. iBase should open and automatically attempt to open the database you were last connected to, and again prompt you for your iBase security details.