Hey, Eric - most excellent info - I was sure there was a way - I mean,
Windows boxes are using Kerberos for their authentication, they should
be able to participate with IBM i for that.
Just to put some words to all this - the idea with Kerberos is that each
principle, whether a user or a system, needs to know it can trust others
in the network.
For QNTC, the request to the Windows box needs to include a ticket, as
you describe. And the IBM i has to be defined as, perhaps, a trusted
system, and that definition is in the KDC (in a windows network, that is
the AD server or server "group")
IBM i is already getting the ticket for the user when you connect - now
it just needs to be able to pass it along to a windows box.
Too many words! Hope the extra phrasing - and different words - helps
people to get their heads around this a bit more.
On 4/4/2014 9:46 AM, DeLong, Eric wrote:
I found this in the V5R4 information center...
Enabling QNTC file system for Network Authentication Service
The QNTC file system enables System i(tm) platform access to Common Integrated File System (CIFS) servers that support the Kerberos V5 authentication protocol.
Rather than using a LAN manager type password to authenticate with each server, a properly configured System i platform will now be able to access supported CIFS servers with a single logon transaction.
To enable the Network Authentication Service (NAS) for use with QNTC, you must configure these items:
Network Authentication Service (NAS)
Enterprise Identity Mapping (EIM)
Once the above items have been configured, you can then enable a user to use NAS with the QNTC file system. The following steps are needed to allow a user to take advantage of the QNTC NAS support.
The user's i5/OS(r) user profile must have the local password management parameter, LCLPWDMGT, set to *NO. By specifying *NO, the user will not have a password to the server and will not be able to sign on to a 5250 session. The only access to the server will be through NAS-enabled applications, such as iSeries(tm) Navigator or iSeries Access 5250 Display Emulator.
If the user specifies *YES, the password will be managed by the server and the user will be authenticated without NAS.
You must have a Kerberos ticket and an iSeries Navigator connection.
The Kerberos ticket for the System i platform you are using must be forwardable. To make a ticket forwardable, follow these steps:
Access the Active Directory Users and Computers tool on the KDC for your NAS realm.
Select the name that corresponds to the service principal name.
Select the Account tab.
Select Account is trusted for delegation.
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Gad Miron
Sent: Friday, April 04, 2014 2:26 AM
Subject: Re: Synchronized Passwords accross IBM i & Active Directory
Seeking advice with SSO...
A few weeks ago we've set up a test SSO environment and the 3 users
we have set to use SSO are signed-on to our IBM i automatically (using BOS
However, the expert we brought in for the procedure told me that SSO will
not solve the problem of copying files from the i's IFS to domain Windows
servers using QNTC as passwords still need to be the same.
Copying files was/is the reason for the whole test..
Is that correct - meaning SSO does not automatically let you copy files to
domain Win Servers?
Is there another method to enable such file copying?