RE: . How have you solved this IBM connectivity issue?

We changed the connection string to use KERBOS .


Monty James
iSeries System Administrator Supervisor
Technology


date: Wed, 2 Jul 2025 12:10:45 -0500
from: <tgarvey@xxxxxxxxxx>
subject: How have you solved this IBM connectivity issue?

We have a PC program, developed in Visual Basic, that connects and signs on to an IBM I server.
It's worked for years.



Now when a PC is updated to Windows 11 it fails to connect, giving weird messages that the user has no password or the user can't be found, etc.



So, I found the following IBM Support message "Windows 11 24H2 update causes issues connecting to IBM I", which says.



"IBM i clients have reported (two) problems after applying the Windows 11
24H2 update:

1) IBM i Access Client Solutions Windows Application Package is no longer able to use the "*WINLOGON" authentication option.

Symptom

1) ACS WinAP ODBC clients that are set to "Use Windows user name and password, no prompting" will fail to authenticate and receive message
CWBSY1040

Resolving The Problem

Problem 1:

The *WINLOGON support was originally leveraged in the old client IBM i Access for Windows via the setting "Use Windows Username and Password, no prompting". That support was later propagated to the IBM i Access Client Solutions Windows Application Package which provides native Windows data access providers like ODBC, .Net, and OLEDB to connect to IBM i Db2 data.
It provides the capability for a Windows client to get the current credentials used to sign into the workstation.

The only way this was of any use is if the Windows credentials exactly matched the IBM i credentials. IBM i Access has been leveraging this support as a convenience for users that did not want to have to reenter the exact same credentials when accessing the IBM i. Needless to say, there are
security issues with this support. In the May 2024 update for the IBM i
Access Client Solutions Windows Application Package, the capability to use "Use Windows Username and Password" for connecting to the IBM i has been disabled by default. Instructions were provided in the release notes for an Admin to enable it if desired. However, in the next update, it will be permanently removed with no capability to reenable it.

In the Windows 11 24H2 update, Microsoft disabled *WINLOGON by default from an OS perspective making the option in IBM i Access useless. Users need to select an alternate authentication option.

A common option is to set a default user profile. The first time a user makes a connection to the IBM i, they are prompted for a password. All subsequent connections automatically use the specified USRPRF and pull the password out of a cache. The user is not prompted again. The cache is cleared on reboot and thus requires providing the password again.

Another option would be to implement Kerberos, though that is non-trivial to configure.
Administrators might consider "netrc" , or, the "cwblogon" utility (part of ACS Win AP), though, we cannot recommend using that in a script because that would mean leaving plain-text credentials in a file."



If I understand correctly, the suggestion is to use the server sign on user id and password (not the session signon) when subsequently trying to connect to the IBM I server in the PC client program.
Tried this and it doesn't work. Using the CWBLOGON utility won't work because multiple users access are logged by their use of the PC program.
Using CWBLOGON would sign them all on as the same user.



What have you been doing to get around this? I can't be the only one with a PC program accessing the IBM i.





Kind Regards,



Thomas Garvey, Corporate Scientist

________________________________

This email message, including any attachment(s) is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please immediately contact the sender by email.