Windows 2008 changed the default encryption level of Kerberos. They started to disallow DES based Kerberos encryption (because it is not as secure).
In Windows 7 and Windows Server 2008 (might have started in R2, don't remember), you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites to be compatible with the legacy DES encryption level that the AS400 only supports.
You then have two options:
1. Enable legacy DES encryption for your AS400 by telling your Windows 2008 domain controllers to allow the older, less secure DES encryption method for Kerberos. See here:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/80a5845c-aa74-4baf-9c05-8733ffcd0545/windows-2008r2-dcs-enable-use-des-encryption-for-legacy-applications (we enabled it at group policy level so it forced the requirement down to all servers/clients in network under this GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos.
2. (well this isn't an option for you, but for others who are on V5R4 or above can do this): Apply these fixes to allow the AS400 to use more modern Kerberos encryption techniques:
Fix Release Description
--------- --------- ----------------------------
SI42919 V7R1 Adds AES & RC4 encryption support (krb)
SI42957 V6R1 " "
SI43034 V5R4 " "
SI43918 V7R1 Updates KRB5 header file in QSYSINC
SI43919 V6R1 " "
SI43920 V5R4 " "
-----Original Message-----
From: Terry Nonamaker [mailto:TNonamaker@xxxxxxxxxxxxxxxx]
Sent: Wednesday, June 19, 2013 10:55 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Iseries v4r5: QNTC works with Windows 2003 domain but fails with Windows 2008 domain
No, but I am not aware that should make a difference.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Matt Olson
Sent: Wednesday, June 19, 2013 7:16 AM
To: Midrange Systems Technical Discussion
Subject: RE: Iseries v4r5: QNTC works with Windows 2003 domain but fails with Windows 2008 domain
Terry,
Do you use Kerberos for QNTC?
Matt
-----Original Message-----
From: Terry Nonamaker [mailto:TNonamaker@xxxxxxxxxxxxxxxx]
Sent: Tuesday, June 18, 2013 1:26 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Iseries v4r5: QNTC works with Windows 2003 domain but fails with Windows 2008 domain
Although this may not sound like your problem ....it was exactly our situation along with extreme slowness ....I would follow this link and give it a try ....this is a post I previously made and I think you will find it useful
Try this..
http://archive.midrange.com/midrange-l/201302/msg00431.html
Terry Nonamaker
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Stone, Joel
Sent: Monday, June 17, 2013 1:17 PM
To: Midrange Systems Technical Discussion
Subject: Iseries v4r5: QNTC works with Windows 2003 domain but fails with Windows 2008 domain
Running Iseries v4r5
The following command works well with Windows 2003 domain.
We are migrating to Windows 2008 domain (still on v4r5).
CPYTOSTMF +
FROMMBR('/qsys.lib/tpgmlib.lib/qclsrc.file/+
addtimetst.mbr') +
TOSTMF('QNTC/IGHNAS05/Public_test/GrainMktg+
/FTP/TEST05') STMFOPT(*ADD) +
STMFCODPAG(*PCASCII)
Getting security errors when sending to Windows 2008 Domain.
Any ideas how to resolve?
Thanks
06/17/13 15:06:05.164536 QCADRV QSYS 03C4 A_TEST05
JSTONE 000C
Message . . . . : 200 - CPYTOSTMF
FROMMBR('/qsys.lib/tpgmlib.lib/qclsrc.file/addtimetst.mbr')
TOSTMF('QNTC/IGHNAS05/Public_test/GrainMktg/FTP/TEST05') STMFOPT(*ADD)
STMFCODPAG(*PCASCII)
30 06/17/13 15:06:05.400248 QZLCKERN QSYS *STMT QZLCKERN
QSYS *STMT
From module . . . . . . . . : QZLCVUT
From procedure . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
To module . . . . . . . . . : QZLCVUT
To procedure . . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
Message . . . . : Error exchanging security information for user QIJS
on
Network Server ighnas05.
Cause . . . . . : The Network Server file system (QNTC) has encountered
an
Job Log GM400 06/17/13
15:06:07 Page 2
error when authenticating user QIJS with a Network Server ighnas05.
Recovery
. . . : Ensure the following: - The user is set up on Network Server
ighnas05. - The OS/400 user password matches the Network Server user
password. - Network Server ighnas05 is enabled for digitally signed
communications. Technical description . . . . . . . . : An error has
been
detected while the Network Server file system was exchanging security
information with a Network Server. The error class was 2, and the error code
was 2. Possible error class and error code values include: Class 0 - QNTC
specifc security error. 1 - QNTC requires digital signing. Class
1 -
Network Server operating system related error. 1 - Not valid
Function. 2 - File not found. 3 - Directory not valid.
4 - Too many files open. 5 - Access denied. Class 2 - Error
generated by the Network Server. 1 - Non-specific error code.
2 - Bad password. 3 - Directory not valid. 4 - Access
denied. 7 - Not valid device. Class 3 - Network Server hardware
error. 31 - General hardware failure. 39 - No space on
file
From module . . . . . . . . : QZLCVUT
From procedure . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
To module . . . . . . . . . : QZLCVUT
To procedure . . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
Message . . . . : Error exchanging security information for user QIJS on
Network Server ighnas05.
Cause . . . . . : The Network Server file system (QNTC) has encountered an
error when authenticating user QIJS with a Network Server ighnas05.
Recovery
. . . : Ensure the following: - The user is set up on Network Server
ighnas05. - The OS/400 user password matches the Network Server user
password. - Network Server ighnas05 is enabled for digitally signed
communications. Technical description . . . . . . . . : An error has
been
detected while the Network Server file system was exchanging security
information with a Network Server. The error class was 2, and the error code
was 2. Possible error class and error code values include: Class 0 - QNTC
specifc security error. 1 - QNTC requires digital signing. Class
1 -
Network Server operating system related error. 1 - Not valid
Function. 2 - File not found. 3 - Directory not valid.
4 - Too many files open. 5 - Access denied. Class 2 - Error
generated by the Network Server. 1 - Non-specific error code.
2 - Bad password. 3 - Directory not valid. 4 - Access
denied. 7 - Not valid device. Class 3 - Network Server hardware
error. 31 - General hardware failure. 39 - No space on
file
system.
30 06/17/13 15:06:05.621736 QZLCKERN QSYS *STMT QZLCKERN
QSYS *STMT
From module . . . . . . . . : QZLCVUT
From procedure . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
To module . . . . . . . . . : QZLCVUT
To procedure . . . . . . . : QzlcDiagMsg
Statement . . . . . . . . . : 191
Message . . . . : Error exchanging security information for user QIJS on
Network Server ighnas05.
Cause . . . . . : The Network Server file system (QNTC) has encountered
an
error when authenticating user QIJS with a Network Server ighnas05.
Recovery
. . . : Ensure the following: - The user is set up on Network Server
ighnas05. - The OS/400 user password matches the Network Server user
password. - Network Server ighnas05 is enabled for digitally signed
communications. Technical description . . . . . . . . : An error has
been
detected while the Network Server file system was exchanging security
information with a Network Server. The error class was 2, and the error code
was 2. Possible error class and error code values include: Class 0 - QNTC
specifc security error. 1 - QNTC requires digital signing. Class
1 -
Network Server operating system related error. 1 - Not valid
Function. 2 - File not found. 3 - Directory not valid.
4 - Too many files open. 5 - Access denied. Class 2 - Error
generated by the Network Server. 1 - Non-specific error code.
2 - Bad password. 3 - Directory not valid. 4 - Access
denied. 7 - Not valid device. Class 3 - Network Server hardware
error. 31 - General hardware failure. 39 - No space on file
system.
06/17/13 15:06:05.721048 QZLCKERN QSYS *STMT QZLCKERN
QSYS
rom module . . . . . . . . : QZLCVUT
rom procedure . . . . . . : QzlcDiagMsg
tatement . . . . . . . . . : 191
o module . . . . . . . . . : QZLCVUT
o procedure . . . . . . . : QzlcDiagMsg
tatement . . . . . . . . . : 191
essage . . . . : Error exchanging security information for user QIJS on
Network Server ighnas05.
ause . . . . . : The Network Server file system (QNTC) has encountered an
error when authenticating user QIJS with a Network Server ighnas05.
Recovery
. . . : Ensure the following: - The user is set up on Network Server
ighnas05. - The OS/400 user password matches the Network Server user password. - Network Server ighnas05 is enabled for digitally signed
communications. Technical description . . . . . . . . : An error has been
detected while the Network Server file system was exchanging security information with a Network Server. The error class was 2, and the error code was 1. Possible error class and error code values include: Class 0 - QNTC
specifc security error. 1 - QNTC requires digital signing. Class 1
-
Network Server operating system related error. 1 - Not valid
Function. 2 - File not found. 3 - Directory not valid.
4 - Too many files open. 5 - Access denied. Class 2 - Error
generated by the Network Server. 1 - Non-specific error code.
2 - Bad password. 3 - Directory not valid. 4 - Access
denied. 7 - Not valid device. Class 3 - Network Server hardware
error. 31 - General hardware failure. 39 - No space on file
system.
From module . . . . . . . . : QP0LCCMN
From procedure . . . . . . :
send_STMF_DBF_msg__FPcT1iT1T3PV22qp0l_STMF_DBF
_commarea
Statement . . . . . . . . . : 16
/QNTC/IGHNAS05/Public_test/GrainMktg/FTP/TEST05.
Cause . . . . . : Object
/QNTC/IGHNAS05/Public_test/GrainMktg/FTP/TEST05, or
a directory in the object path, could not be found, or its type cannot be
resolved by this function. Recovery . . . : Correct the name or
specify
an object of the correct type. To determine if the object exists, use the
Work with Object Links (WRKLNK) command. If the name exists, check the type
of the object. If the name contains symbolic link objects, ensure the path
names they resolve to exist. Retry the operation.
40 06/17/13 15:06:05.725664 QP0LCCMN QSYS *STMT A_TEST05
JSTONE 000C
From module . . . . . . . . : QP0LCCMN
From procedure . . . . . . :
send_STMF_DBF_msg__FPcT1iT1T3PV22qp0l_STMF_DBF
_commarea
Statement . . . . . . . . . : 109
Message . . . . : Object not copied. Object is
/qsys.lib/tpgmlib.lib/qclsrc.file/addtimetst.mbr.
Cause . . . . . : Object
/qsys.lib/tpgmlib.lib/qclsrc.file/addtimetst.mbr
was not copied to object QNTC/IGHNAS05/Public_test/GrainMktg/FTP/TEST05
because errors occurred. Recovery . . . : Display the job log
(DSPJOBLOG
______________________________________________________________________
This outbound email has been scanned for all viruses by the MessageLabs Skyscan service.
For more information please visit
http://www.symanteccloud.com ______________________________________________________________________
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.