Environment
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Situation
Resolution
Setting Up Automatic Sign-On
Follow the suggestions in the following sections to configure the Reflection for the Web automatic sign-on feature.
Configuring IBM i
Configuring Windows for Reflection Automatic Sign-On
Create a Reflection Session with Kerberos Automatic Sign-On
Testing the Connection
Troubleshooting Errors
System Requirements
The following are system requirements for Reflection automatic sign-on support.
IBM i
- OS/400 (i5/OS) V5R2 or higher, with the most recent PTF package
- IBM i Navigator to configure Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM)
KDC
- The KDC must support Kerberos 5
Microsoft Windows Client
- Microsoft Windows 8, 7, 2000, or XP
- User must login to a domain with a domain account
Configuring IBM i
Before configuring Reflection to use automatic sign-on, access the IBM i Navigator using an administrative ID and address these topics for the Kerberos realm and IBM i.
- Create a Microsoft Windows user and principal for the Kerberos realm for your IBM i Server.
- Configure NAS on your IBM i.
- Configure an EIM Domain Controller and Domain on your IBM i.
- Configure the EIM Domain with Identifiers and Associations for each user.
For more information on these topics, see the IBM i Information Center:
http://www-01.ibm.com/support/knowledgecenter/ssw_
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/
http://publib-b.boulder.ibm.com/abstracts/sg246975.html?
Additionally, IT Jungle has the following series of articles available on this topic:
http://www.itjungle.com/fhg/fhg042705-story03.html
http://www.itjungle.com/fhg/fhg050405-story03.html
Configuring Windows for Reflection Automatic Sign-On
This section explains how to configure Microsoft Windows so that Reflection for the Web can use the Kerberos ticket for authentication and access. If you are not running Reflection in a Microsoft Windows Domain, skip to Create a Reflection Session with Kerberos Automatic Sign-On. Otherwise, follow the steps below.
I. Configure Accounts to Use DES Encryption
The features of Kerberos that are used by Reflection for the Web require that Windows user accounts be configured to use DES encryption. By default, Windows uses RSA emulation.
To configure user accounts to use DES encryption, you need to perform the following steps on the server hosting Active Directory, for each user account. These steps can be performed by modifying group or system-wide policies.
- Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
- Select an account user, right-click, and then click Properties.
- Click the Account tab.
- In the Account options scroll box, enable "Use DES encryption types for this account."
Note: If you do not want to require pre-authentication before issuing a TGT, you must also enable "Do not require Kerberos preauthentication" for each user. However, enabling this setting decreases the security of your Kerberos configuration
II. Modify the Windows Clients to Export the Session Key
By default, Microsoft Windows Server 2003, Windows 2000 Server SP4 and Windows XP SP2 are configured not to export the TGT session key for access by other programs. As a result, the TGT obtained on Windows has a blank session key.
Follow these steps to update the Windows registry and configure Windows to allow other programs access to the TGT session key information.
Warning: Proceed with extreme caution when editing the Windows Registry. It is critical to back up the Registry before you proceed. For full details and warnings regarding editing the Windows Registry, see Microsoft Article 256986:
http://support.microsoft.com/default.aspx?scid=
- Click Start > Run.
- In the Open field, enter regedit, and then click OK.
- Navigate to the Windows registry location specified below for your operating system.
For Windows 8, Windows 7, Windows Server 2003, and Windows 2000 SP4:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
For Windows XP SP2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
- If the DWORD allowTGTSessionKey already exists, skip to step 6. Otherwise, right-click Kerberos, click New > DWORD Value.
- Change the DWORD name to allowTGTSessionKey.
- Right-click allowTGTSessionKey > Modify.
- In the Value data field, enter 1. (The default is 0.)
- Exit the Windows registry.
III. Export the Updated Registry Settings to Users
Export the updated Windows registry key, and use Windows Active Directory, SMS, or any other method to push the registry updates out to the Reflection for the Web client workstations.
Create a Reflection Session with Kerberos Automatic Sign-On
Follow the steps below to create a Reflection for the Web 2011 or 2008 session with Kerberos automatic sign-on enabled.
- Start the Reflection for the Web management server and log in as an administrator.
- Click Administrative WebStation.
- Click Session Manager and then click Add.
- Select IBM 5250, enter a Session name, click Continue, and then click Launch.
- In the Connection (or Session) Setup dialog box, enter the fully qualified host name or IP address (for example, bluebell.wa.com), and then click Advanced (or More) Settings.
- In Reflection for the Web, click the "Kerberos sign-on options" button.
- Select the "Enable Kerberos automatic sign-on" check box, and then select the Specify realm and KDC radio button.
- In the Kerberos realm field, enter the fully qualified domain name (FQDN) of the Kerberos realm using all capitals. For example, FLOWERS.WA.COM.
- In the Kerberos KDC field, enter the KDC server's FQDN.
- Click OK > OK.
Testing the Connection
To verify that your session has been successfully set up for Kerberos automatic sign-on, logon to the domain and then start up the session. You should be logged in automatically to the IBM i host.
Troubleshooting Errors
This section provides troubleshooting steps and resources for several common errors.
Error |
KDC has no support for encryption type (14) |
Cause |
This error occurs in Windows domains if
the Windows encryption method is not changed from RSA RC4 to DES or the
registry is not updated to export the session key. To view the current TGT, and determine the current encryption type or visibility, use the Microsoft Kerbtray utility. To obtain and use Kerbtray, follow these steps. 1. Download the Windows Server 2003 Resource Kit Tools from Microsoft Downloads at: http://www.microsoft.com/downloads/details.aspx?FamilyID =9d467a69-57ff-4ae7-96ee-b18c4790cffd 2. Install the Resource Kit. 3. Click Start > Programs > Windows Resource Kit Tools > Command Shell, and then enter kerbtray .4. Select the TGT you want to view, and then click the Encryption Types tab. The encryption type is shown in the Key Encryption Type field. |
Resolution |
To resolve this problem, follow the steps in Configuring Windows for Reflection Automatic Sign-On. |
Error |
Could not load configuration file krb5.conf. |
Cause |
Reflection is looking for a krb5.conf
file because the "Use default realm and KDC in Kerberos configuration
file" radio button is selected in the Reflection for the Reflection for
the Web Connection > Session Setup > More Settings dialog box. |
Resolution |
Provide a krb5.conf configuration file in the expected location or specify a realm and KDC for this setting. |
Error |
Pre authentication information was invalid (24) |
Cause |
User is not logged in to the domain when running the IBM i session. |
Resolution |
Log on to the domain and try again. |
For further troubleshooting errors and details, see Sun's Java Kerberos troubleshooting information at: