My first question is when doing single sign on is this an all
or nothing proposition?
No. Most of the shops we have helped with SSO have chosen to roll out
just a hand ful of users at a time at first, and then increase the
rollout speed as they get more familiar with it. The beauty of EIM and
SSO on i is that you can enroll just one user at a time if you wish.
There is no "say a prayer and flip the switch" moment because you enable
5 users, make sure it works the way you want it to, and then go do 10
more, and then 30 more, etc etc.
The use of kebreros authentication is also controlled by the connection
settings in iSeries Navigator and/or the 5250 emulation settings. So even
when you enable it and set up a user with the proper mappings, you can
have one session that uses it and one that doesn't. When kerberos is
enabled you will have the option to "Use Kerberos principal name, no
prompting" in the User ID signon information portion of the connection
settings.
You can choose to set the password to *NONE for an account that is setup
to use kerberos. In that case they will be able to signon when kerberos
authenticates them against the Window's AD, but they will not be able to
signon to a dumb tube, or sign on manually.
Someone mentioned the 300 number as a cutoff for using iSeries Navigator
functions for creating the EIM mappings. We're slightly above that number
and I'd concur. The native interface works, but is not very quick. In
addition, deletion of an iSeries user profile does not delete the matching
EIM identifier. You will have additional work on both profile creation
and deletion.
The only downside I've found to SSO is when it doesn't work for a specific
machine. There are some tools that are downloadable from Microsoft and
others to help try and figure out why it isn't working. They are not very
helpful. I no longer even try to fix individual PCs. The hours spent
applying all the iSeries Access PTFs, the Windows updates, verifying that
nothing is blocking ports on the PC or iSeries, are pointless. When it
doesn't work, it just doesn't work. In all these cases the problems have
disappeared when the PC was reloaded or replaced. If you do buy a third
party package to help with administration, it would be worthwhile to ask
what kind of assistance they provide for debugging failures. What you get
from Windows and the iSeries won't be much help.
As an Amazon Associate we earn from qualifying purchases.