This can all be very confusing, and it took me a while to get past the
things that looked like obstacles at first.
Windows authenticates - in a Kerberos environment, the iSeries
recognizes that authentication, so passwords for the iSeries are not
stored anywhere - you actually don't even NEED them, for the day-to-day
In Kerberos environments that don't use EIM, the user names have to be
the same on both Windows and the iSeries, or any app on the iSeries that
login, such as our WebDocs product.
Therefore, EIM comes in to map the identifier used in Windows domain to
the identifier used on the iSeries (the user profile). This makes it
really nice to retrofit, say, Kerberos and SSO in a place where the
names are different, like maybe there didn't used to be a Windows domain.
Kerberos is a 3rd-party authentication model - the KDC authenticates
both a user and an application or system. It gives a ticket to a user
when that user tries to use or connect to something - that ticket lets
the user know that the system or app is friendly.
It's like the old speak-easy days - you go up to the door and knock, a
little window opens up, and Bruno says, "Who do you think YOU are?" But
you know a guy named Joe, who said that Bruno also knows Joe, so you
say, "Joe sent me" and show Bruno Joe's card (ticket). Then Bruno says,
"OK, come on in - since Joe says you're OK."
Now maybe the speak-easy used to have a list of people who knew the
secret rat-a-tat-tat, but with Joe, they don't need that anymore, nor do
you have to know that secret handshake or whatever.
I think you've actually made it much harder than it is. I mean, you
still need a user profile on the iSeries, for authorization - what you
are allowed to do. SSO separates authentication (who you are) and
authorization (what your privileges are) in the login process.
Now you don't really need to use the Windows AD - you could use the LDAP
server on the iSeries. But things just get a little messier, seems to me.
There ARE also APIs for EIM that can be used in Windows apps - but that
won't help, cuz you're not asking a Windows app to recognize your
authentication from Windows.
Have you seen the SSO 101 article on Developeworks? Try it at
- somewhere on that page is a
link - it was written by the ISV support team in Rochester, who were
invaluable in helping me enable our product for SSO.
On 9/12/2012 2:59 PM, Jack Kingsley wrote:
Have some questions on this:
A) If windows AD owns the KDC, shouldn't it own the EIM/SSO as well.
B) I want to get to the point of using all of this, but unfortunately I am
in a situation where the 'I' would not be the server owner per-se.
C) I want to run a 5250 session using KEREBEROS, but I want the ISERIES
profiles/passwords to be coming from the AD side, can't this come from the
AD side so long as I just add the ISERIES to the AD realm??
In what I want to do I want my environment to be more of the slave to these
and not the host/owner of it.
Should I be leveraging LDAP to some extent as well with all of this.