Hi Joe,

Can you try to run kinit against CORP.COMPANY.COM
<http://corp.company.com/> ,without
"-k," so you can test if your service account/binding password is correct.
You can try doing "keytab delete" and re-add using "keytab add" and re-test
kinit -k for CORP.COMPANY.COM <http://corp.company.com/>.

In Navigator for i, check the properties of the realm that you are using
the correct KDC servers. For example for me it works only if the KDC are
within the same Realm-CORP.COMPANY.COM <http://corp.company.com/>

Regards,
Tsvetan

On Wed, 22 Jun 2022 at 15:23, Sizer, Joseph via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

I have an established and working configuration for single sign-on for my
V7R3 environment. My company is migrating our Active Directory domain from
"company.com" to "corp.company.com". We use a Microsoft Active Directory
for Kerberos authentication.

In attempting to set up a second Realm of corp.company.com, I went into
IBM Navigator for I and selected Security / Network Authentication Service
/ Configuration Wizard and configured the services necessary for single
sign-on for the second realm. I produced a .bat file which was run on the
new corp.company.com domain controller.

I have also attempted to update the Realm properties by going to Security
/ Network Authentication Service / Realms and added a second Realm with
the appropriate KDC.

I can see the entries in the keytab list and have verified that the
passwords match between NAS and AD. I have performed a
kinit -k krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx<mailto:
krbsvr400/IBMiMachineName.company.com@xxxxxxxxxxx> and gotten a proper
response. SSO is working with a 5250 session. I do not get a positive
response when attempting the same kinit -k command with the
CORP.COMPANY.COM command.

Does anyone have links to information or documentation that would address
adding a second realm to an existing and working NAS/EIM SSO configuration?


Joe Sizer
IBM I Power9 Administrator
Pencor Digital Services

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
Office: 610.826.9080 Ext. 2117

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.