When running in Java, it just works. I've copied the Java code below. In that case I do get an AS400 object, and, as you'll see, it is so dirt simple - no user to set, no password - jt400 gets it all from the existing credentials cache that resulted from the Windows logon to the domain.

The wrinkle is the IVKM layer - that is a kind of JVM for .Net - and it doesn't know how to retrieve the credentials from the existing cache.

So I'm wondering if there's a Windows API - has to be - that I can call from VB .Net

Here's the Java code, followed by my VB equivalent -

Java code - to test it, make sure your Windows PC is in a domain, not a workgroup, then log in there with your domain user. If you've configured your iSeries for Kerberos (Network Authentication Services) and EIM, ba-da-bing!

// The IBM Toolbox for Java / JTOpen APIs, provided by jt400.jar.
import com.ibm.as400.access.AS400;

/**
* This sample code assumes the client machine is already configured for
* Kerberos authentication, the target iSeries machine is configured for
* Kerberos authentication, and Enterprise Identity Mapping (EIM) is
* configured with appropriate mappings between client user IDs and
* iSeries user profiles.
**/
public class SSOSample
{
public static void main(String[] args)
{
// Instruct JAAS to be lenient, since we don't create a Subject.
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

// Set Kerberos realm.
//System.setProperty("java.security.krb5.realm", "RJSINTRANET.COM");

try
{
System.out.println("Calling sample1...");
sample1();
}
catch (Exception e)
{
e.printStackTrace();
}

}


/**
* Sample 1 - Let the Toolbox handle the GSS credential.
**/
public static void sample1() throws Exception
{
// Create a Toolbox system object that points at an iSeries.
AS400 sys = new AS400("rjs4003.rjsintranet.com");

// Turn off the userID/password GUI prompt.
sys.setGuiAvailable(false);

// Optionally force only Kerberos authentication.
sys.setGSSOption(AS400.GSS_OPTION_MANDATORY);

// Connect to the signon server to authenticate.
// This proves that the iSeries accepted the Kerberos ticket.
sys.connectService(AS400.SIGNON);

// Print out the iSeries user profile our server job is running under.
// This proves that EIM mapped the Kerberos user to an
// iSeries user profile.
System.out.println("Connected as "+sys.getUserId());

// Close the Toolbox connection to the iSeries.
sys.disconnectAllServices();
}

}


VB code equivalent -

Public Class Form1

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
' Create a Toolbox system object that points at an iSeries
Dim iSys As New com.ibm.as400.access.AS400("rjs4003.rjsintranet.com")

' String to hold credentials
Dim sCreds As String

' Instruct JAAS to be lenient, since we don't create a Subject.
java.lang.System.setProperty("javax.security.auth.useSubjectCredsOnly", "false")

' Turn off the userID/password GUI prompt
iSys.setGuiAvailable(False)

' Optionally force only Kerberos authentication
iSys.setGSSOption(com.ibm.as400.access.AS400.GSS_OPTION_MANDATORY)

' Get credentials into a string
sCreds = System.Net.CredentialCache.DefaultNetworkCredentials.ToString

' Connect to the signon server to authenticate
' This proves that the iSeries accepted the Kerberos ticket
iSys.connectService(com.ibm.as400.access.AS400.SIGNON)

' Print out the iSeries user profile our server job is running under
' This proves that EIM mapped the Kerberos user to an
' iSeries user profile
MsgBox("Connected as " & iSys.getUserId)

' Close the Toolbox connection to the iSeries
iSys.disconnectAllServices()

End Sub

Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
Close()
End Sub

End Class


On 8/3/2011 1:44 PM, David Gibbs wrote:
On 8/3/2011 1:39 PM, Vern Hamberg wrote:
But that VM does not know how to retrieve the credentials from the
system. When I use the Kinit method in java, it creates the credentials
cache in a file on disk. Trouble is, I need to know the user's password
- I mean, I should not need to run Kinit anyhow - we've already signed
in to the Windows domain, and the ticket-granting ticket is already on
the system.
Fair warning: I don't know .net at all.

If you are using jt400 ... can you get an AS400 object?

Perhaps you can use a ProfileTokenCredential ... that way you don't need the credentials. http://urlq.us/2o

david




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.