Configuring for kerberos Authentication
The iSeries Network Authentication Service (NAS) provides kerberos V5 authentication for the iSeries. Kerberos authentication support for iSeries NetServer uses NAS and Enterpise Identity Mapping (EIM) to allow users to sign on once and be authenticated to many iSeries NetServers. This reduces the number of passwords that users need to remember and provides the benefit of reduced password administration.
Setting up a kerberos authentication scheme involves configuring the iSeries, iSeries NetServer and a Windows based Key Distribution Center (KDC). To successfully configure the 3 pieces of the kerberos environment you will need to develop an understanding of how kerberos authentication works. The iSeries Information Center (http://publib.boulder.ibm.com/pubs/html/as400/v5r1/ic2924/index.htm) provides a complete description of the NAS and EIM. Consult the Information Center before attempting to configure iSeries NetServer for kerberos authentication.
This chart shows the high level steps required to configure iSeries NetServer for kerberos authentication.
1. Install the required iSeries software products.
5722-AC3 Crypto Access Provider 128-bit for AS/400
2. Install and configure a Windows 2000 Server to act as the Key Distribution Center(KDC) for your network.
This Server will be the source of the kerberos tickets within your environment.
3. Synchronize the clocks of the iSeries and the KDC.
Kerberos tickets are time sensitive, so the clocks on all systems in the network must be synchronized.
4. Create USER accounts on the KDC for all users and iSeries principles that will need a
kerberos ticket.
5. Make sure Lightweight Directory Access Protocol (LDAP) is configured and active.
Use the iSeries Navigator LDAP Configuration Wizard if LDAP is not already active.
6. Configure the Network Authentication Service on the iSeries
Use iSeries Navigator NAS Configuration Wizard to configure this service.
7. Configure an Enterprise Identity Mapping (EIM) domain on the iSeries.
Configure a single EIM domain controller for your entire network.
8. Change the iSeries NetServer Authentication Method to *kerberos.
Use iSeries Navigator to change the iSeries NetServer Properties.
NOTE: When configured for kerberos authentication, only kerberos capable clients can connect to iSeries NetServer.
9. Map a Network Drive from a kerberos capable client (Windows 2000 or XP) to a configured iSeries NetServer share.
AS/400, eServer iSeries, i5/OS, System i, IBM Power Systems 