Hi Jack

SSO on i with EIM requires that you set up Kerberos support, known as Network Authentication Service, first. And that your users have logged in to a Windows domain, not to the local account on their PCs.

Once that's done, you hit the wall of understanding that you have - the same one, basically, that I did.

EIM is just a glorified lookup table - no passwords are involved. It's a list of users for each system or application to which those people log in. You have to use APIs in your own apps to lookup up what i user corresponds to which AD user. IBM has already enabled things like 5250 emulation to do this lookup with these APIs.

There is no connection with password levels - the whole idea is, you don't even use passwords anymore. In fact, you can set the user's password on the i to *NONE if you want.

10 characters for user profiles? hey, it's a 400 object, and those names are at most 10 characters. But it doesn't matter - you do NOT have to use the same name on the i side as you have on the Windows side - that's the whole point of EIM - it maps one login name to another login name. The pivot is an identifier - a person in an enterprise - that could be Jack Kingsley, it could be Vernon M. Hamberg. This person is known to different systems by different names. I have mapped my Windows name 'vern' to a 400 name 'VERNSSO'

The whole point is, iSeries trusts the authentication performed by Windows - then, iSeries gets that Windows user name. Then it finds the corresponding iseries user profile ID and makes that the user of the job - with the privileges (authorization) that user profile has.

Make sense? Hope so - it turns out much simpler than it seems at first glance.


On 4/3/2012 7:22 AM, Jack Kingsley wrote:
Can anyone elaborate on how they might have moved forward with such a
project, also, how did you handle the AD side of things with those
credentials and then having them match on the "I" side of things. Were you
forced to change your QPWDLVL at all, was/is there a way around only 10
characaters for the as400 profile, was this an issue. How were you able to
get around mutliple users using a computer for 5250 access once the AD
credentials were verified granting access to the desktop.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].