Kerberos Automatic Sign-on Support for IBM i

This technical note explains how to configure Reflection for the Web to use a Kerberos based service ticket in place of your user name and password when logging on to an IBM i server. This functionality makes it unnecessary to your user name and password in clear text. Users can access IBM i resources based on their Active Directory domain authentication (or Kerberos authentication).

Setting Up Automatic Sign-On

Follow the suggestions in the following sections to configure the Reflection for the Web automatic sign-on feature.

System Requirements

The following are system requirements for Reflection automatic sign-on support.

IBM i

• OS/400 (i5/OS) V5R2 or higher, with the most recent PTF package
• IBM i Navigator to configure Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM)

KDC

• The KDC must support Kerberos 5

Microsoft Windows Client

• Microsoft Windows 8, 7, 2000, or XP
• User must login to a domain with a domain account

Configuring IBM i

Before configuring Reflection to use automatic sign-on, access the IBM i Navigator using an administrative ID and address these topics for the Kerberos realm and IBM i.

• Create a Microsoft Windows user and principal for the Kerberos realm for your IBM i Server.
• Configure NAS on your IBM i.
• Configure an EIM Domain Controller and Domain on your IBM i.
• Configure the EIM Domain with Identifiers and Associations for each user.

For more information on these topics, see the IBM i Information Center:

Additionally, IT Jungle has the following series of articles available on this topic:

Configuring Windows for Reflection Automatic Sign-On

This section explains how to configure Microsoft Windows so that Reflection for the Web can use the Kerberos ticket for authentication and access. If you are not running Reflection in a Microsoft Windows Domain, skip to Create a Reflection Session with Kerberos Automatic Sign-On. Otherwise, follow the steps below.

I. Configure Accounts to Use DES Encryption

The features of Kerberos that are used by Reflection for the Web require that Windows user accounts be configured to use DES encryption. By default, Windows uses RSA emulation.

To configure user accounts to use DES encryption, you need to perform the following steps on the server hosting Active Directory, for each user account. These steps can be performed by modifying group or system-wide policies.

1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Select an account user, right-click, and then click Properties.
3. Click the Account tab.
4. In the Account options scroll box, enable "Use DES encryption types for this account."

Note: If you do not want to require pre-authentication before issuing a TGT, you must also enable "Do not require Kerberos preauthentication" for each user. However, enabling this setting decreases the security of your Kerberos configuration

II. Modify the Windows Clients to Export the Session Key

By default, Microsoft Windows Server 2003, Windows 2000 Server SP4 and Windows XP SP2 are configured not to export the TGT session key for access by other programs. As a result, the TGT obtained on Windows has a blank session key.

Follow these steps to update the Windows registry and configure Windows to allow other programs access to the TGT session key information.

Warning: Proceed with extreme caution when editing the Windows Registry. It is critical to back up the Registry before you proceed. For full details and warnings regarding editing the Windows Registry, see Microsoft Article 256986:

http://support.microsoft.com/default.aspx?scid=kb;en-us;256986

1. Click Start > Run.
2. In the Open field, enter regedit, and then click OK.
3. Navigate to the Windows registry location specified below for your operating system.

4. If the DWORD allowTGTSessionKey already exists, skip to step 6. Otherwise, right-click Kerberos, click New > DWORD Value.
5. Change the DWORD name to allowTGTSessionKey.
6. Right-click allowTGTSessionKey > Modify.
7. In the Value data field, enter 1. (The default is 0.)
8. Exit the Windows registry.

III. Export the Updated Registry Settings to Users

Export the updated Windows registry key, and use Windows Active Directory, SMS, or any other method to push the registry updates out to the Reflection for the Web client workstations.

Create a Reflection Session with Kerberos Automatic Sign-On

Follow the steps below to create a Reflection for the Web 2011 or 2008 session with Kerberos automatic sign-on enabled.

1. Start the Reflection for the Web management server and log in as an administrator.
2. Click Administrative WebStation.
3. Click Session Manager and then click Add.
4. Select IBM 5250, enter a Session name, click Continue, and then click Launch.
5. In the Connection (or Session) Setup dialog box, enter the fully qualified host name or IP address (for example, bluebell.wa.com), and then click Advanced (or More) Settings.
6. In Reflection for the Web, click the "Kerberos sign-on options" button.
7. Select the "Enable Kerberos automatic sign-on" check box, and then select the Specify realm and KDC radio button.
8. In the Kerberos realm field, enter the fully qualified domain name (FQDN) of the Kerberos realm using all capitals. For example, FLOWERS.WA.COM.
9. In the Kerberos KDC field, enter the KDC server's FQDN.
10. Click OK > OK.

Testing the Connection

To verify that your session has been successfully set up for Kerberos automatic sign-on, logon to the domain and then start up the session. You should be logged in automatically to the IBM i host.

Troubleshooting Errors

This section provides troubleshooting steps and resources for several common errors.

Error	KDC has no support for encryption type (14)
Cause	This error occurs in Windows domains if the Windows encryption method is not changed from RSA RC4 to DES or the registry is not updated to export the session key. To view the current TGT, and determine the current encryption type or visibility, use the Microsoft Kerbtray utility. To obtain and use Kerbtray, follow these steps. 1. Download the Windows Server 2003 Resource Kit Tools from Microsoft Downloads at: http://www.microsoft.com/downloads/details.aspx?FamilyID =9d467a69-57ff-4ae7-96ee-b18c4790cffd 2. Install the Resource Kit. 3. Click Start > Programs > Windows Resource Kit Tools > Command Shell, and then enter kerbtray. 4. Select the TGT you want to view, and then click the Encryption Types tab. The encryption type is shown in the Key Encryption Type field.
Resolution	To resolve this problem, follow the steps in Configuring Windows for Reflection Automatic Sign-On.

Error	Could not load configuration file krb5.conf.
Cause	Reflection is looking for a krb5.conf file because the "Use default realm and KDC in Kerberos configuration file" radio button is selected in the Reflection for the Reflection for the Web Connection > Session Setup > More Settings dialog box.
Resolution	Provide a krb5.conf configuration file in the expected location or specify a realm and KDC for this setting.

Error	Pre authentication information was invalid (24)
Cause	User is not logged in to the domain when running the IBM i session.
Resolution	Log on to the domain and try again.

For further troubleshooting errors and details, see Sun's Java Kerberos troubleshooting information at:

http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html

Legacy KB ID

This document was originally published as Attachmate Technical Note 1954.