SSO on i with EIM requires that you set up Kerberos support, known as
Network Authentication Service, first. And that your users have logged
in to a Windows domain, not to the local account on their PCs.
Once that's done, you hit the wall of understanding that you have - the
same one, basically, that I did.
EIM is just a glorified lookup table - no passwords are involved. It's a
list of users for each system or application to which those people log
in. You have to use APIs in your own apps to lookup up what i user
corresponds to which AD user. IBM has already enabled things like 5250
emulation to do this lookup with these APIs.
There is no connection with password levels - the whole idea is, you
don't even use passwords anymore. In fact, you can set the user's
password on the i to *NONE if you want.
10 characters for user profiles? hey, it's a 400 object, and those names
are at most 10 characters. But it doesn't matter - you do NOT have to
use the same name on the i side as you have on the Windows side - that's
the whole point of EIM - it maps one login name to another login name.
The pivot is an identifier - a person in an enterprise - that could be
Jack Kingsley, it could be Vernon M. Hamberg. This person is known to
different systems by different names. I have mapped my Windows name
'vern' to a 400 name 'VERNSSO'
The whole point is, iSeries trusts the authentication performed by
Windows - then, iSeries gets that Windows user name. Then it finds the
corresponding iseries user profile ID and makes that the user of the job
- with the privileges (authorization) that user profile has.
Make sense? Hope so - it turns out much simpler than it seems at first
On 4/3/2012 7:22 AM, Jack Kingsley wrote:
Can anyone elaborate on how they might have moved forward with such a
project, also, how did you handle the AD side of things with those
credentials and then having them match on the "I" side of things. Were you
forced to change your QPWDLVL at all, was/is there a way around only 10
characaters for the as400 profile, was this an issue. How were you able to
get around mutliple users using a computer for 5250 access once the AD
credentials were verified granting access to the desktop.