Troubleshooting
Problem
Symptom
Resolving The Problem
The *WINLOGON support was originally leveraged in the old client IBM i Access for Windows via the setting "Use Windows Username and Password, no prompting". That support was later propagated to the IBM i Access Client Solutions Windows Application Package which provides native Windows data access providers like ODBC, .Net, and OLEDB to connect to IBM i Db2 data. It provides the capability for a Windows client to get the current credentials used to sign into the workstation.
The only way this was of any use is if the Windows credentials exactly matched the IBM i credentials. IBM i Access has been leveraging this support as a convenience for users that did not want to have to reenter the exact same credentials when accessing the IBM i. Needless to say, there are security issues with this support. In the May 2024 update for the IBM i Access Client Solutions Windows Application Package, the capability to use “Use Windows Username and Password” for connecting to the IBM i has been disabled by default. Instructions were provided in the release notes for an Admin to enable it if desired. However, in the next update, it will be permanently removed with no capability to reenable it.
In the Windows 11 24H2 update, Microsoft disabled *WINLOGON by default from an OS perspective making the option in IBM i Access useless. Users need to select an alternate authentication option.
A common option is to set a default user profile. The first time a user makes a connection to the IBM i, they are prompted for a password. All subsequent connections automatically use the specified USRPRF and pull the password out of a cache. The user is not prompted again. The cache is cleared on reboot and thus requires providing the password again.Another option would be to implement Kerberos, though that is non-trivial to configure.
Administrators might consider "netrc" , or, the "cwblogon" utility (part of ACS Win AP), though, we cannot recommend using that in a script because that would mean leaving plain-text credentials in a file.
https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file
> (greater than)
: (colon)
" (double quote)
/ (forward slash)
\ (backslash)
| (vertical bar or pipe)
? (question mark)
* (asterisk)
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 January 2025
UID
ibm17180720