Versions Compared

Old Version 3

changes.mady.by.user user-5d3f2

Saved on

compared with

New Version Current

changes.mady.by.user user-eb51a

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The two key technologies that underpin the SSO mechanism are the Kerberos Kerberos Network Authentication Protocol, and the IBM i Enterprise Identity Mapping (EIM) mechanism. These technologies must be understood and in use before using Single Sign-On with LANSA.

...

Following are the basic steps you will follow:

1.  Ask your system administrator to configure your IBM i for Single Sign On from your Windows domain (ensure that the HOST principal name is added to the keytab file), and also to configure EIM on your IBM i to map each required Windows domain user to a corresponding IBM i user profile. Note that these must be working and tested before continuing with the next step.

The LANSA listener job user, its group profile or its Supplemental group profile must have the following authorities to the directories and files listed below:

Note
Note: The names used may be different in your system

...

Configuration file requires data authority of *R and the path must have data authority of *X

              /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

...

Credential cache file requires data authority of *RW and the path must have data authority of *X

              /QIBM/UserData/OS400/NetworkAuthentication/creds/krbcred_xxxxxx

...

Keytab file requires data authority  of  *R and the path must have data authority of *X

              /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab

2.  On the IBM i, run the LANSA CONFIGURE command, and choose the COMMS_EXTENSIONS facility to set up COMMS_EIM_USER with the username and password of an LDAP user authorized to query EIM. This step needs to be done only once per LANSA system on the IBM i.

3.  Stop and restart the Listener job before continuing.

4.  Repeat these next steps for each user to be included in Single Sign-On.

a.  Assuming that one of the mappings set up in EIM maps from, say, Windows domain user user1@MYDOMAIN.COM to LANSA user DEVUSER, log onto Windows as user1@MYDOMAIN.COM.

 b.  Start Visual LANSA, and from the Logon dialog, perform a System Initialization using the user name and password of the LANSA user DEVUSER (as per example). It is necessary to do this at least once for a LANSA user before the Use Windows credentials option may be used to perform a Single Sign-On as that user.

c.  When System Initialization is complete, check(select) the Use Windows credentials option and click OK to log on. Any values in the User ID and Password are ignored.

If the logon fails and a message box appears with the message "User user1@MYDOMAIN.COM specified is not known to LANSA", then this indicates that one of the above steps may not have been completed successfully.


Also see

4.5.1 How LANSA SSO Works

...