IBM Support

Windows 11 24H2 update causes issues connecting to IBM i

Troubleshooting


Problem

IBM i clients have reported two problems after applying the Windows 11 24H2 update:
1) IBM i Access Client Solutions Windows Application Package is no longer able to use the "*WINLOGON" authentication option. 
2) Mapped drives to the IBM i may fail to return results or display the message "The specified server cannot perform the requested operation"
These are discussed in further detail below.

Symptom

1) ACS WinAP ODBC clients that are set to "Use Windows user name and password, no prompting" will fail to authenticate and receive message CWBSY1040
2) Access to specific directories on the IBM i will fail with message "The specified server cannot perform the requested operation"

Resolving The Problem

Problem 1:

The *WINLOGON support was originally leveraged in the old client IBM i Access for Windows via the setting  "Use Windows Username and Password, no prompting".  That support was later propagated to the IBM i Access Client Solutions Windows Application Package which provides native Windows data access providers like ODBC, .Net, and OLEDB to connect to IBM i Db2 data.   It provides the capability for a Windows client to get the current credentials used to sign into the workstation.

The only way this was of any use is if the Windows credentials exactly matched the IBM i credentials.  IBM i Access has been leveraging this support as a convenience for users that did not want to have to reenter the exact same credentials when accessing the IBM i.  Needless to say, there are security issues with this support.   In the May 2024 update for the IBM i Access Client Solutions Windows Application Package, the capability to use “Use Windows Username and Password” for connecting to the IBM i has been disabled by default.  Instructions were provided in the release notes for an Admin to enable it if desired.  However, in the next update, it will be permanently removed with no capability to reenable it.

In the Windows 11 24H2 update, Microsoft disabled *WINLOGON by default from an OS perspective making the option in IBM i Access useless. Users need to select an alternate authentication option.

A common option is to set a default user profile. The first time a user makes a connection to the IBM i, they are prompted for a password. All subsequent connections automatically use the specified USRPRF and pull the password out of a cache. The user is not prompted again. The cache is cleared on reboot and thus requires providing the password again.
 
Another option would be to implement Kerberos, though that is non-trivial to configure.
Administrators might consider "netrc" , or, the "cwblogon" utility (part of ACS Win AP), though, we cannot recommend using that in a script because that would mean leaving plain-text credentials in a file.
Problem 2:
There were changes made to file name rules in Windows 11 24H2 that have caused IFS access problems for customers.  Those errors were tracked down to object names in the directory that did not comply with Windows file name rules. 
Here is a link to Microsoft file naming rules to check the directory contents:
https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file
Potential problem characters are identified in bullet 6 under the Naming Conventions section
Use any character in the current code page for a name, including Unicode characters and characters in the extended character set (128–255), except for:
The following reserved characters:
< (less than)
> (greater than)
: (colon)
" (double quote)
/ (forward slash)
\ (backslash)
| (vertical bar or pipe)
? (question mark)
* (asterisk)
Removal or renaming of the invalidly-named objects restored the ability to the access the IFS directory via mapped network drive from Windows 11 24H2 clients. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CTpAAM","label":"IBM i Access-\u003EAccess Client Solutions"}],"ARM Case Number":"TS018219866","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
28 January 2025

UID

ibm17180720