MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2014

Re: EIM Domain and SSO



fixed

Does EIM do anything for IFS access? That is the biggest reason we are exploring this. We need the mainframe to access windows shares using QNTC and we thought EIM would allow Windows to link IBM user profiles to domain users. We may even need to map some system users to an appropriate domain user. I am not sure if any of that is possible, so I thought I had better verify before I waste a lot of time.

Also, I thought I had read that you could not log into profiles (on the IBM i) that have SSO enabled. Is that true? The tutorials do not seem to indicate that is the case. I am getting the impression it is optional.


On 2/19/2014 5:02 PM, Vernon Hamberg wrote:
Good points - now for other positive spins!!

Apache web server supports Kerberos, and so does jt400 - just in case
you want to start playing in those worlds.

Vern

On 2/19/2014 3:33 PM, Matt Olson wrote:
The other big App IBM i shops run into that don't support Kerberos is
RDP (rational developer for power). Still have no idea why they
haven't jumped on the bandwagon.



-----Original Message-----
From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]
Sent: Wednesday, February 19, 2014 3:33 PM
To: Midrange Systems Technical Discussion
Subject: RE: EIM Domain and SSO

Matt,

EIM works pretty good, as long as all the applications in your
environment support EIM. Some applications don't (like content
manager). But for those things that do (5250) it works great.

Be sure to have the following PTF's so you don't have to scratch your
head why your windows 2008 (or above) domain controllers that are
handing out Kerberos tickets is failing. It wasn't long ago that the
IBM i only supported DES Kerberos where as Microsoft moved to AES
years ago as the default Kerberos encryption routine, and thus causes
problems with Kerberos authentication, causing windows server
operators to "dumb down" the encryption to the old DES standard rather
then embrace the new, more secure Kerberos encryption standards.

Fix Release Description
--------- --------- ----------------------------
SI42919 V7R1 Adds AES & RC4 encryption support (krb)
SI42957 V6R1 " "
SI43034 V5R4 " "

SI43918 V7R1 Updates KRB5 header file in QSYSINC
SI43919 V6R1 " "
SI43920 V5R4 " "

Matt


-----Original Message-----
From: Matt Lavinder [mailto:mlavinder@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2014 3:05 PM
To: midrange-l@xxxxxxxxxxxx
Subject: EIM Domain and SSO

We have been investigating single-sign-on I am looking at following
the document here (http://is.gd/6xxMCv) for creating a SSO test
environment.
I get a bit nervous about making changes as we do not have a test
system. Will the act of creating a new EIM domain have any impact on
existing users or objects?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact