We have a PC program, developed in Visual Basic, that connects and signs on
to an IBM I server.
It's worked for years.



Now when a PC is updated to Windows 11 it fails to connect, giving weird
messages that the user has no password or the user can't be found, etc.



So, I found the following IBM Support message "Windows 11 24H2 update causes
issues connecting to IBM I", which says.



"IBM i clients have reported (two) problems after applying the Windows 11
24H2 update:

1) IBM i Access Client Solutions Windows Application Package is no longer
able to use the "*WINLOGON" authentication option.

Symptom

1) ACS WinAP ODBC clients that are set to "Use Windows user name and
password, no prompting" will fail to authenticate and receive message
CWBSY1040

Resolving The Problem

Problem 1:

The *WINLOGON support was originally leveraged in the old client IBM i
Access for Windows via the setting "Use Windows Username and Password, no
prompting". That support was later propagated to the IBM i Access Client
Solutions Windows Application Package which provides native Windows data
access providers like ODBC, .Net, and OLEDB to connect to IBM i Db2 data.
It provides the capability for a Windows client to get the current
credentials used to sign into the workstation.

The only way this was of any use is if the Windows credentials exactly
matched the IBM i credentials. IBM i Access has been leveraging this
support as a convenience for users that did not want to have to reenter the
exact same credentials when accessing the IBM i. Needless to say, there are
security issues with this support. In the May 2024 update for the IBM i
Access Client Solutions Windows Application Package, the capability to use
"Use Windows Username and Password" for connecting to the IBM i has been
disabled by default. Instructions were provided in the release notes for an
Admin to enable it if desired. However, in the next update, it will be
permanently removed with no capability to reenable it.

In the Windows 11 24H2 update, Microsoft disabled *WINLOGON by default from
an OS perspective making the option in IBM i Access useless. Users need to
select an alternate authentication option.

A common option is to set a default user profile. The first time a user
makes a connection to the IBM i, they are prompted for a password. All
subsequent connections automatically use the specified USRPRF and pull the
password out of a cache. The user is not prompted again. The cache is
cleared on reboot and thus requires providing the password again.

Another option would be to implement Kerberos, though that is non-trivial to
configure.
Administrators might consider "netrc" , or, the "cwblogon" utility (part of
ACS Win AP), though, we cannot recommend using that in a script because that
would mean leaving plain-text credentials in a file."



If I understand correctly, the suggestion is to use the server sign on user
id and password (not the session signon) when subsequently trying to connect
to the IBM I server in the PC client program.
Tried this and it doesn't work. Using the CWBLOGON utility won't work
because multiple users access are logged by their use of the PC program.
Using CWBLOGON would sign them all on as the same user.



What have you been doing to get around this? I can't be the only one with a
PC program accessing the IBM i.





Kind Regards,



Thomas Garvey, Corporate Scientist


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.