Thanks Matt,

At first global read I see that apart from the IBM i setup it is needed to:
1. Configure Windows Accounts to Use DES Encryption where the Microsoft
standard is RSA.
2. Modify the Windows Clients to Export the Session Key

I don't know what the security impact of those changes is, extra
research/advise will be needed before I'll put my feet on that way.

Regards,
-Arco


2016-05-26 14:26 GMT+02:00 Matt Olson <Matt.Olson@xxxxxxxx>:

Arco,

There is documentation on setting up Kerberos with the IBM i here:
http://support.attachmate.com/techdocs/1954.html

It's actually very nice once you get it setup. Although setting it up on
the IBM i is not very straight forward. On Windows setting up kerberos
negotiation between servers is a much simpler affair (though still not as
easy as it should be as it involves going to the command shell and running
one command).

Also, Kerberos isn't a "windows" thing. You can certainly setup an LDAP
server on your OS of choice and get kerberos running, but you typically
find that it is a Windows server in practice as it only takes a few hours
to setup active directory (the LDAP server) with all of its fancy wizards
to guide you through the whole setup process. The equivalent can't be said
on other platforms such as Linux, where it takes a fleet of engineers to
setup and maintain a directory server due to all the bash commands,
configuration files, and prayer involved.

My main issue with Kerberos at this point is that IBM has not put the
effort into making it available across all their software products. RDi is
a perfect example. It doesn't support Kerberos.
________________________________________
From: Arco Simonse <arco400@xxxxxxxxx>
Sent: Thursday, May 26, 2016 7:02 AM
To: Midrange Systems Technical Discussion
Subject: Re: ACS connection and Windows authentication

I see. I can overcome that con... :-)
But I thought I would ask, since I know nothing about connecting with
Kerberos, and it _is_ one of the selectable settings in ACS.
After that I found the other post of the netrc file.

Regards,
-Arco

2016-05-26 13:30 GMT+02:00 Rob Berendt <rob@xxxxxxxxx>:

There are pros and cons to being tightly integrated with Windows.
You're noticing one of the cons.

On the pro side you can put on a new version and you don't have to be the
lord high king guru, and run through an extensive ritual, of the entire
company to do so.
It was getting to the point that the old "Check Service Level" really
wouldn't run for anyone else.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Arco Simonse <arco400@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/26/2016 03:39 AM
Subject: ACS connection and Windows authentication
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Hi,

When starting ACS at the first time on a day, you get a signon popup to
authenticate once with the system that is configured for your sessions.
In the old client access I could set my connection properties to "Use
Windows username and password, no prompting".
I'm looking for the equivalent of this for ACS. We keep our windows and i
passwords the same. The i is at QPWDLVL 3.

When I look into the ACS connection properties I see the following
possibilities to set:

- Use shared credentials: Prompt for logon credentials that will be
shared
by systems using this option. The credentials will be saved until the
user
logs off.
- Use default user name to prompt once for each system: Prompt for logon
credentials once for each system. The credentials will be saved until the
user logs off.
- Prompt for user name and password every time: Prompt for logon
credentials every time a connection to the system is requested.
- Use Kerberos authentication; do not prompt: Logon credentials are the
current Kerberos credentials. The credentials must be trusted for
delegation.

None of these seem to apply to what I want to achieve. I do not have
knowledge of Kerberos, but I tried that option and it gave me:
MSGKRB001 - Kerberos error for system %1$s.
(Failure unspecified at GSS-API level (Mechanism level:
80090303=InitializeSecurityContext() len=16384 ctx=00000000
SEC_E_TARGET_UNKNOWN))

Do I need to configure something for Kerberos? Or am I totally on a wrong
path?

Thanks,
-Arco
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.