I'm pretty sure it's krbsvr400.
FWIW, I have:
krbsvr400
ldap
HTTP
HOST
cifs
nfs
For me, only host name works for any EIM (this could be in my setup, I don't know). For DNS, I've found that the following PING commands must resolve to the same fully-qualified name for my server.
ping {short hostname}
ping -a {IP address}
-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Thursday, August 31, 2017 7:38 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxx>
Subject: RE: EIM SSO expired password issues
Justin,
I found notes from and old lengthy PMR from IBM, see below.
For mapped drives, only system name will work, IPs no longer.
Which keytab principal is used for ODBC?
PMR notes.
Regarding making kerberos connections to the IP address, it appears that (although this has worked in the past) at some point Microsoft clients stopped using Kerberos for connections established via IP address and current Microsoft clients appear to only make Kerberos connections only for system names that resolve in DNS. So, the IP address is probably not going to work. I found the following article on support.microsoft.com:
https://support.microsoft.com/en-us/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-address
If you need additional confirmation, please contact Microsoft.
Regarding encrypted password connections to IP addresses (which you and I also talked about) the developer tells me that NetServer does bind to all TCP/IP interfaces that are active at the time when NetServer starts. Clients should be able to access NetServer, using encrypted passwords, through any interface with a network path from the client to the server.
Regarding which Service Principals are necessary:
(HOST) The HOST form of the principal name is obsolete. It was used by Windows 2000, and is still part of the NetServer documentation and configuration wizard for compatibility sake. If you are only running 'currently in service' Windows clients, the HOST principals won't ever be used and can be removed.
(cifs) Only the service principals for names that you plan to connect to using Kerberos are necessary. For example, if the Qname (QPencor name) is unused, the principals can be removed. IP address can also be removed, since currently supported Microsoft clients do not appear to support kerberos connections using IP address.
The developer stated that the NetServer (NETSERVER06) name may or may not work in current environments since it is a NetBIOS name. If it doesn't work, he said it can be removed. When he told me that, one thing came to mind. Since kerberos is DNS based, I wonder if a DNS entry could be added (on the DNS) for the NetServer name. I can't guarantee that would work, but it's something you could try if you wish. If it does work please let me know and I'll add that little trick to our documentation.
The developer is reluctant to advise anyone to remove the fully qualified principal name because behavior may vary based on your DNS configuration. It is advised that you keep both the Pencorp06 and Pencorp06.pencorp.com principals at a minimum.
Paul
midrange.com
