Matt, wish I could help, and have been hoping
our network team could get us to where you are
headed and have supplied them with pretty much
every relevant manual, article, etc.
But we're still stuck with multiple user-id madness.
Unfortunately, I think we're typical of most
iSeries users . . .


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Matt Lavinder
Sent: Thursday, February 20, 2014 11:36 AM
To: Midrange Systems Technical Discussion
Subject: Re: EIM Domain and SSO

I appreciate the link but I am more or less verifying I understand what I have read before I jump into this and waste a lot of time. I more or less understand how Kerberos works and I have read through several documents on how to set this up. What I am trying to determine now is if the end result I expect is reality.

Again, we primarily want this to help us with IFS access. More specifically, we would like to move some files off the IFS to a Windows file server. The key is we still need access to those directories via QNTC. This worked fine before we had an Active Directory but now it is a headache and we deal with a lot of "access denied" messages. We want to simplify this. We want our Active Directory to know that user profile JOHNS is actually domain user JSMITH so JOHNS is able to read and write to shared folders that JSMITH has access to. I think EIM will take care of that for us.

Still, with people saying "this works" and "this does not", now I am wondering if I have missed something.


On 2/20/2014 12:47 PM, Gary Thompson wrote:
Matt, maybe this link helps: http://www.redbooks.ibm.com/abstracts/sg246975.html


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Matt Lavinder
Sent: Thursday, February 20, 2014 10:01 AM
To: Midrange Systems Technical Discussion
Subject: Re: EIM Domain and SSO

Does EIM do anything for IFS access? That is the biggest reason we are exploring this. We need the mainframe to access windows shares using QNTC and we thought EIM would allow Windows to link IBM user profiles to domain users. We may even need to map some system users to an appropriate domain user. I am not sure if any of that is possible, so I thought I had better verify before I waste a lot of time.

Also, I thought I had read that you could not log into profiles (on the IBM i) that have SSO enabled. Is that true? The tutorials do not seem to indicate that is the case. I am getting the impression it is optional.


On 2/19/2014 5:02 PM, Vernon Hamberg wrote:
Good points - now for other positive spins!!

Apache web server supports Kerberos, and so does jt400 - just in case
you want to start playing in those worlds.

Vern

On 2/19/2014 3:33 PM, Matt Olson wrote:
The other big App IBM i shops run into that don't support Kerberos is
RDP (rational developer for power). Still have no idea why they
haven't jumped on the bandwagon.



-----Original Message-----
From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]
Sent: Wednesday, February 19, 2014 3:33 PM
To: Midrange Systems Technical Discussion
Subject: RE: EIM Domain and SSO

Matt,

EIM works pretty good, as long as all the applications in your
environment support EIM. Some applications don't (like content
manager). But for those things that do (5250) it works great.

Be sure to have the following PTF's so you don't have to scratch your
head why your windows 2008 (or above) domain controllers that are
handing out Kerberos tickets is failing. It wasn't long ago that the
IBM i only supported DES Kerberos where as Microsoft moved to AES
years ago as the default Kerberos encryption routine, and thus causes
problems with Kerberos authentication, causing windows server
operators to "dumb down" the encryption to the old DES standard
rather then embrace the new, more secure Kerberos encryption standards.

Fix Release Description
--------- --------- ----------------------------
SI42919 V7R1 Adds AES & RC4 encryption support (krb)
SI42957 V6R1 " "
SI43034 V5R4 " "

SI43918 V7R1 Updates KRB5 header file in QSYSINC
SI43919 V6R1 " "
SI43920 V5R4 " "

Matt


-----Original Message-----
From: Matt Lavinder [mailto:mlavinder@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2014 3:05 PM
To: midrange-l@xxxxxxxxxxxx
Subject: EIM Domain and SSO

We have been investigating single-sign-on I am looking at following
the document here (http://is.gd/6xxMCv) for creating a SSO test
environment.
I get a bit nervous about making changes as we do not have a test
system. Will the act of creating a new EIM domain have any impact on
existing users or objects?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.