Hey, Eric - most excellent info - I was sure there was a way - I mean, Windows boxes are using Kerberos for their authentication, they should be able to participate with IBM i for that.

Just to put some words to all this - the idea with Kerberos is that each principle, whether a user or a system, needs to know it can trust others in the network.

For QNTC, the request to the Windows box needs to include a ticket, as you describe. And the IBM i has to be defined as, perhaps, a trusted system, and that definition is in the KDC (in a windows network, that is the AD server or server "group")

IBM i is already getting the ticket for the user when you connect - now it just needs to be able to pass it along to a windows box.

Too many words! Hope the extra phrasing - and different words - helps people to get their heads around this a bit more.


On 4/4/2014 9:46 AM, DeLong, Eric wrote:
I found this in the V5R4 information center...


Enabling QNTC file system for Network Authentication Service
The QNTC file system enables System i(tm) platform access to Common Integrated File System (CIFS) servers that support the Kerberos V5 authentication protocol.

Rather than using a LAN manager type password to authenticate with each server, a properly configured System i platform will now be able to access supported CIFS servers with a single logon transaction.

To enable the Network Authentication Service (NAS) for use with QNTC, you must configure these items:

Network Authentication Service (NAS)
Enterprise Identity Mapping (EIM)
Once the above items have been configured, you can then enable a user to use NAS with the QNTC file system. The following steps are needed to allow a user to take advantage of the QNTC NAS support.

The user's i5/OS(r) user profile must have the local password management parameter, LCLPWDMGT, set to *NO. By specifying *NO, the user will not have a password to the server and will not be able to sign on to a 5250 session. The only access to the server will be through NAS-enabled applications, such as iSeries(tm) Navigator or iSeries Access 5250 Display Emulator.
If the user specifies *YES, the password will be managed by the server and the user will be authenticated without NAS.

You must have a Kerberos ticket and an iSeries Navigator connection.
The Kerberos ticket for the System i platform you are using must be forwardable. To make a ticket forwardable, follow these steps:
Access the Active Directory Users and Computers tool on the KDC for your NAS realm.
Select users.
Select the name that corresponds to the service principal name.
Select Properties.
Select the Account tab.
Select Account is trusted for delegation.

-Eric DeLong

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Gad Miron
Sent: Friday, April 04, 2014 2:26 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: Synchronized Passwords accross IBM i & Active Directory

Hello guys

Seeking advice with SSO...

A few weeks ago we've set up a test SSO environment and the 3 users
we have set to use SSO are signed-on to our IBM i automatically (using BOS
emulation )
However, the expert we brought in for the procedure told me that SSO will
not solve the problem of copying files from the i's IFS to domain Windows
servers using QNTC as passwords still need to be the same.
Copying files was/is the reason for the whole test..

Is that correct - meaning SSO does not automatically let you copy files to
domain Win Servers?
Is there another method to enable such file copying?


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page