This can all be very confusing, and it took me a while to get past the things that looked like obstacles at first.

Windows authenticates - in a Kerberos environment, the iSeries recognizes that authentication, so passwords for the iSeries are not stored anywhere - you actually don't even NEED them, for the day-to-day user.

In Kerberos environments that don't use EIM, the user names have to be the same on both Windows and the iSeries, or any app on the iSeries that login, such as our WebDocs product.

Therefore, EIM comes in to map the identifier used in Windows domain to the identifier used on the iSeries (the user profile). This makes it really nice to retrofit, say, Kerberos and SSO in a place where the names are different, like maybe there didn't used to be a Windows domain.

Kerberos is a 3rd-party authentication model - the KDC authenticates both a user and an application or system. It gives a ticket to a user when that user tries to use or connect to something - that ticket lets the user know that the system or app is friendly.

It's like the old speak-easy days - you go up to the door and knock, a little window opens up, and Bruno says, "Who do you think YOU are?" But you know a guy named Joe, who said that Bruno also knows Joe, so you say, "Joe sent me" and show Bruno Joe's card (ticket). Then Bruno says, "OK, come on in - since Joe says you're OK."

Now maybe the speak-easy used to have a list of people who knew the secret rat-a-tat-tat, but with Joe, they don't need that anymore, nor do you have to know that secret handshake or whatever.

I think you've actually made it much harder than it is. I mean, you still need a user profile on the iSeries, for authorization - what you are allowed to do. SSO separates authentication (who you are) and authorization (what your privileges are) in the login process.

Now you don't really need to use the Windows AD - you could use the LDAP server on the iSeries. But things just get a little messier, seems to me.

There ARE also APIs for EIM that can be used in Windows apps - but that won't help, cuz you're not asking a Windows app to recognize your authentication from Windows.

Have you seen the SSO 101 article on Developeworks? Try it at - somewhere on that page is a link - it was written by the ISV support team in Rochester, who were invaluable in helping me enable our product for SSO.


On 9/12/2012 2:59 PM, Jack Kingsley wrote:
Have some questions on this:

A) If windows AD owns the KDC, shouldn't it own the EIM/SSO as well.
B) I want to get to the point of using all of this, but unfortunately I am
in a situation where the 'I' would not be the server owner per-se.
C) I want to run a 5250 session using KEREBEROS, but I want the ISERIES
profiles/passwords to be coming from the AD side, can't this come from the
AD side so long as I just add the ISERIES to the AD realm??

In what I want to do I want my environment to be more of the slave to these
and not the host/owner of it.

Should I be leveraging LDAP to some extent as well with all of this.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page