Chris: just got back from a local users' group seminar on this topic. I haven't done it, but the basics are something like the following:
- you need a Kerberos server; the iSeries can do it, but chances are your Windows server is already issuing a ticket, but nothing is being done with it
- you can configure it via OpsNavigator
- OpsNav outputs a batch file (very well documented) for each iSeries server that's going to participate
- this batch file is then run on the Kerberos server and creates a userid there for the iSeries server
- you then do the rest of the configuration for new users on the iSeries, with OpsNav again; this includes the identity mapping, taking "JDOE" from the Windows signon and translating that to "JOHND" on the iSeries
- note that it only does AUTHENTICATION, not AUTHORIZATION
Then, theoretically, a ticket is issued when you sign on to Windows. Next time you ask to sign on to a participating iSeries (or Netserver, for example), the system looks at your ticket, confirms the request with the Kerberos server, and signs you right on to the iSeries server, without presenting you with a name/password prompt.
One good/bad thing about it is that the actual password is changed to *NONE. Without Kerberos, you don't get signed in. That makes it easier to keep someone out, because you only have to disable their Kerberos account, but it probably keeps you from using Kerberos on QSECOFR, since you want that to work no matter what.
Let me know if you're interested in the foils from the seminar. I could ask for permission to post them. It wasn't very technical, but a better overview than I expected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.