+1 - there's a nice tutorial in developerworks on setting up SSO with EIM and IBM's Kerberos implementation on the i. Here's the link -


It's not ALL that hard to set up SSO, once you get over some hurdles - it only took a month and a half, with help from ISV support, to find out it's easy - now that also involved using the EIM APIs to enable a web application for SSO - more than just using the wizard in IBM i access.

Getting all your users into EIM can be fussy, and IBM Lab Services (I think) and Pat Botz have tools for facilitating this. And Pat provides ongoing support that includes dealing with changes by Microsoft in their AD and Windows configuration stuff.

Good luck

On 4/2/2014 3:22 PM, DrFranken wrote:
This is precisely what EIM and Kerberos are about. Dump your IBM i
Passwords completely (except for admins) and just use the one in Windows.

If you truly need everyone to be able to sign on independently to IBM i
without using any windows workstations then this is likely not the right
solution for you.

- Larry "DrFranken" Bolhuis


On 4/2/2014 3:37 PM, Buzz Fenner wrote:

Looking to create a new process to facilitate password change on our i &
Windows domain. Until recently, we were on a Model 520 that housed two IXS
cards. On one of those cards was our W2K3 DC. With the help of User
Enrollment on the i, we sync'd up account passwords; a user account on the i
took care of performing password maintenance on the DC.

Fast forward to today with a new server and no more Windows integration; I
have to redo that process. Just wondering how other folks have addressed the


Buzz Fenner

Business Systems Analyst/Systems Administrator

City Water & Light

870.930.3374 | 870.219.5229


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page