Technical Notes

Kerberos Automatic Sign-On Support for the iSeries
Technical Note 1954
Last Reviewed 30-May-2008
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 9.x
IBM iSeries System 5
Summary

This technical note explains how to configure Reflection for the Web to use a Kerberos based service ticket in place of your user name and password when logging on to an IBM iSeries server. This functionality makes it unnecessary to your user name and password in clear text. Users can access iSeries resources based on their Active Directory domain authentication (or Kerberos authentication).

Supported Network Environments

This feature can be used in network environments based on Microsoft Active Directory Domains, or non-Microsoft platforms that have an appropriately configured Kerberos realm.

If your network environment is based on Microsoft Active Directory, this feature can be used to provide users access to iSeries servers without requiring additional logons. Reflection can use a Kerberos ticket to access the iSeries resources.

If your network environment is based on a non-Microsoft platform, such as Mac or Linux, this feature can be used to provide users access to multiple iSeries servers, after a single logon to the Kerberos realm.

Setting Up Automatic Sign-On

Follow the suggestions in the following sections to configure the Reflection for the Web automatic sign-on feature.

System Requirements

The following are system requirements for Reflection automatic sign-on support.

IBM iSeries

• OS/400 (i5/OS) V5R2 or higher, with the most recent PTF package
• iSeries Navigator to configure Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM)

KDC

• The KDC must support Kerberos 5

Microsoft Windows Client

• Microsoft Windows 2000 or XP
• User must login to a domain with a domain account

Configuring the iSeries

Before configuring Reflection to use automatic sign-on, access the iSeries Navigator using an administrative ID and address these topics for the Kerberos realm and iSeries.

• Create a Microsoft Windows user and principal for the Kerberos realm for your iSeries Server.
• Configure NAS on your iSeries.
• Configure an EIM Domain Controller and Domain on your iSeries.
• Configure the EIM Domain with Identifiers and Associations for each user.

For more information on these topics, see the IBM iSeries Information Center:

Additionally, IT Jungle has the following series of articles available on this topic:

Configuring Windows for Reflection Automatic Sign-On

This section explains how to configure Microsoft Windows so that Reflection for the Web can use the Kerberos ticket for authentication and access. If you are not running Reflection in a Microsoft Windows Domain, skip to Create a Reflection Session with Kerberos Automatic Sign-On. Otherwise, follow the steps below.

I. Configure Accounts to Use DES Encryption

The features of Kerberos that are used by Reflection for the Web require that Windows user accounts be configured to use DES encryption. By default, Windows uses RSA emulation.

To configure user accounts to use DES encryption, you need to perform the following steps on the server hosting Active Directory, for each user account. These steps can be performed by modifying group or system-wide policies.

1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Select an account user, right-click, and then click Properties.
3. Click the Account tab.
4. In the Account options scroll box, enable "Use DES encryption types for this account."

Note: If you do not want to require pre-authentication before issuing a TGT, you must also enable "Do not require Kerberos preauthentication" for each user. However, enabling this setting decreases the security of your Kerberos configuration

II. Modify the Windows Clients to Export the Session Key

By default, Microsoft Windows Server 2003, Windows 2000 Server SP4 and Windows XP SP2 are configured not to export the TGT session key for access by other programs. As a result, the TGT obtained on Windows has a blank session key.

Follow these steps to update the Windows registry and configure Windows to allow other programs access to the TGT session key information.

Warning: Proceed with extreme caution when editing the Windows Registry. It is critical to back up the Registry before you proceed. For full details and warnings regarding editing the Windows Registry, see Microsoft Article 256986:

http://support.microsoft.com/default.aspx?scid=kb;en-us;256986

1. Click Start > Run.
2. In the Open field, enter regedit, and then click OK.
3. Navigate to the Windows registry location specified below for your operating system.

4. If the DWORD allowTGTSessionKey already exists, skip to step 6. Otherwise, right-click Kerberos, click New > DWORD Value.
5. Change the DWORD name to allowTGTSessionKey.
6. Right-click allowTGTSessionKey > Modify.
7. In the Value data field, enter 1. (The default is 0.)
8. Exit the Windows registry.

III. Export the Updated Registry Settings to Users

Export the updated Windows registry key, and use Windows Active Directory, SMS, or any other method to push the registry updates out to the Reflection for the Web client workstations.

Create a Reflection Session with Kerberos Automatic Sign-On

Follow the steps below to create a Reflection for the Web 2008 (or Reflection for the Web 9.x) session with Kerberos automatic sign-on enabled.

1. Start the Reflection for the Web management server and log in as an administrator.
2. Click Administrative WebStation.
3. Click Session Manager and then click Add.
4. Select IBM 5250, enter a Session name, click Continue, and then click Launch.
5. In the Connection (or Session) Setup dialog box, enter the fully qualified host name or IP address (for example, bluebell.wa.com), and then click Advanced (or More) Settings.
6. In Reflection for the Web 2008, click the "Kerberos sign-on options" button.
7. Select the "Enable Kerberos automatic sign-on" check box, and then select the Specify realm and KDC radio button.
8. In the Kerberos realm field, enter the fully qualified domain name (FQDN) of the Kerberos realm using all capitals. For example, FLOWERS.WA.COM.
9. In the Kerberos KDC field, enter the KDC server's FQDN.
10. Click OK > OK.

Testing the Connection

To verify that your session has been successfully set up for Kerberos automatic sign-on, logon to the domain and then start up the session. You should be logged in automatically to the iSeries host.

Troubleshooting Errors

This section provides troubleshooting steps and resources for several common errors.

Error	KDC has no support for encryption type (14)
Cause	This error occurs in Windows domains if the Windows encryption method is not changed from RSA RC4 to DES or the registry is not updated to export the session key. To view the current TGT, and determine the current encryption type or visibility, use the Microsoft Kerbtray utility. To obtain and use Kerbtray, follow these steps. 1. Download the Windows Server 2003 Resource Kit Tools from Microsoft Downloads at: http://www.microsoft.com/downloads/details.aspx?FamilyID =9d467a69-57ff-4ae7-96ee-b18c4790cffd 2. Install the Resource Kit. 3. Click Start > Programs > Windows Resource Kit Tools > Command Shell, and then enter kerbtray. 4. Select the TGT you want to view, and then click the Encryption Types tab. The encryption type is shown in the Key Encryption Type field.
Resolution	To resolve this problem, follow the steps in Configuring Windows for Reflection Automatic Sign-On.

Error	Could not load configuration file krb5.conf.
Cause	Reflection is looking for a krb5.conf file because the "Use default realm and KDC in Kerberos configuration file" radio button is selected in the Reflection for the Reflection for the Web Connection > Session Setup > More Settings dialog box.
Resolution	Provide a krb5.conf configuration file in the expected location or specify a realm and KDC for this setting.

Error	Pre authentication information was invalid (24)
Cause	User is not logged in to the domain when running the iSeries session.
Resolution	Log on to the domain and try again.

For further troubleshooting errors and details, see Sun's Java Kerberos troubleshooting information at:

http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html

Related Technical Notes

9988	Reflection for the Web Technical Notes