Troubleshooting
Problem
This document provides resources and clarifications regarding IBM i NetServer and Kerberos authentication.
Resolving The Problem
Kerberos - A Simple Definition:
Kerberos is a network authentication protocol that was created by MIT to address a variety of network security problems. It includes authentication tools and cryptography methods that allow secure connections to be made across insecure networks.
IBM's Enterprise Identity Mapping (EIM):
EIM is a mechanism for mapping (associating) a person or entity to the appropriate user identities in various registries throughout the enterprise. EIM provides APIs for creating and managing these identity mapping relationships, as well as APIs that applications use to query this information. In addition, IBM i uses EIM and Kerberos capabilities to provide a single sign-on environment that significantly simplifies network administration. See Enterprise Identity Mapping
Kerberos is a network authentication protocol that was created by MIT to address a variety of network security problems. It includes authentication tools and cryptography methods that allow secure connections to be made across insecure networks.
IBM's Enterprise Identity Mapping (EIM):
EIM is a mechanism for mapping (associating) a person or entity to the appropriate user identities in various registries throughout the enterprise. EIM provides APIs for creating and managing these identity mapping relationships, as well as APIs that applications use to query this information. In addition, IBM i uses EIM and Kerberos capabilities to provide a single sign-on environment that significantly simplifies network administration. See Enterprise Identity Mapping
Enabling IBM i NetServer support for Kerberos V5 authentication
Network Authentication Service (NAS)
The Network Authentication Service wizard generates a batch file that can be used to add the necessary service principals to the Kerberos server. Simply move (via ftp for example) the batch file to the Kerberos server and run it.
Additional Information:
Once Kerberos configuration setup has begun on the Windows side, IBM i NetServer must also be configured to use Kerberos.
The message "Account Is Not Authorized to Login from This Station" occurs when a user attempts to map an IBM i NetServer drive and indicates that the service principal has been added to the Windows side, but that IBM i NetServer has not yet been configured to use Kerberos. Once the service principal has been added, Windows expects all connections to that host to use extended security. Until IBM i NetServer is set to use Kerberos, it announces that it does not support extended security negotiation.
The message "Account Is Not Authorized to Login from This Station" appears to be a Windows method to protect the client from being forced back to use a weaker authentication method.
In many cases, it might be impractical for customers to perform a single migration of all IBM i NetServer users to use Kerberos V5 authentication. There is an option to allow administrators to slowly migrate users to Kerberos V5 authentication, while keeping compatibility with clients that have not been migrated. Once all clients are configured to use Kerberos, the NetServer Authentication method can be set to 'Network Authentication' (*KERBEROS).
Additional Information:
Once Kerberos configuration setup has begun on the Windows side, IBM i NetServer must also be configured to use Kerberos.
The message "Account Is Not Authorized to Login from This Station" occurs when a user attempts to map an IBM i NetServer drive and indicates that the service principal has been added to the Windows side, but that IBM i NetServer has not yet been configured to use Kerberos. Once the service principal has been added, Windows expects all connections to that host to use extended security. Until IBM i NetServer is set to use Kerberos, it announces that it does not support extended security negotiation.
The message "Account Is Not Authorized to Login from This Station" appears to be a Windows method to protect the client from being forced back to use a weaker authentication method.
In many cases, it might be impractical for customers to perform a single migration of all IBM i NetServer users to use Kerberos V5 authentication. There is an option to allow administrators to slowly migrate users to Kerberos V5 authentication, while keeping compatibility with clients that have not been migrated. Once all clients are configured to use Kerberos, the NetServer Authentication method can be set to 'Network Authentication' (*KERBEROS).
Before doing so, verify that all clients are using Kerberos. That can be determined with the GO NETS tool
Within GO NETS, take option 15. Work with NetServer Sessions
If clients are using Kerberos, the user name will be in the case of the profile name on Windows. For example, if the Windows user is bob, a Kerberos connection would list bob. A password connection for the same user would list BOB.
If all clients are not using Kerberos it might be advisable to delay removing the hidden share or setting NetServer properties Security tab to use 'Network Authentication' (Or *KERBEROS within GO NETS option 9. Change Attributes.
Related Information
[{"Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CLSAA2","label":"Integrated File System->NetServer"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Version(s)"}]
Historical Number
341588029
Was this topic helpful?
Document Information
Modified date:
28 October 2021
UID
nas8N1019201