The purpose of this document is to help the reader understand the size and scope of the effort required to set up a single sign on environment, and provide references to authoritative source documents—information that is freely available on-line from IBM and other online resources.

This document focuses on an implementation using network authentication service (NAS) and Enterprise Identity Mapping (EIM) to create a basic single sign on environment. NAS allows the Power i to accept Kerberos tickets as a form of authentication. EIM is used to map the Kerberos id (principle) to an IBM i user. We hope you will gain a basic understanding of what is involved in configuring a single sign on environment. IBM source documents will be required to complete an actual implementation in the absence of personnel with specific knowledge of these tasks.

Required Components

IBM i Components
The minimum recommended IBM i level is V5R4M0 with current group and cumulative PTFs These IBM i options and license programs are required:

  • 57xxSS1 Option 12 - Host Servers
  • 57xxSS1 Option 30 - QShell Interpreter
  • 57xxAC3 Crypto Access Provider 128-bit for AS/400
  • 57xxCE3 Client Encryption 128-bit (optional for Client side encryption)
  • 57xxDG1 IBM HTTP Server for iSeries (optional for additional scenarios)
  • 57xxXE1 iSeries Access for Windows

Network Components

  • Kerberos Key Distribution Center (Windows 2008 R2 server, z/OS, AIX, Linux)
    If you already have a Windows 2000/2003 Server on your network that is Active Directory enabled, use it for the KDC.
  • Network Authentication Service configured on the Power i
  • EIM (Enterprise Identity Mapping) configured on the Power i
  • Client PCs (in network) configured in a Windows domain
  • General TCP/IP considerations:
    Name resolution – must have reliable name resolution
    Simple Network Time Protocol (SNTP)–Your KDC and Power i on the network must have reasonably (5 minutes) synchronized clocks

Browser with Kerberos support

  • We tested this setup with IE, FireFox and Chrome. All worked.

Configuration Steps

IBM Planning Worksheets

The planning work sheets list the information that you need to gather and the decisions you need to make to prepare the single sign on implementation described by this scenario. They can be accessed here:

Create the Environment

This is a link to IBM’s configuration example and includes the steps below.

Each step will take from a few minutes to a few hours depending on individual experience.

  • Create a basic single sign on configuration for System A
  • Add System A service principal to the Kerberos server
  • Be sure to set the delegation property to trust the System i principle for delegation to any service
  • Create a home directory for John Day on System A
  • Test the network authentication service configuration on System A
  • Create an EIM identifier for John Day
  • Create a source association and target association for the new EIM identifier
  • Test EIM identity mappings
  • Configure iSeries Access for Windows applications to use Kerberos authentication
  • Verify network authentication service and EIM configuration

Configure Apache Server to Use Kerberos

Kerberos provides the authentication while EIM provides the user id for authorization. Add the following required directives to your Apache configuration:

Require valid-user 
AuthType Kerberos 
AuthName Secure_SEQUELWI 
PasswdFile %%KERBEROS%% 

Note: The name SEQUELWI is not required. It is used as an example.

Configure Browser to Use Kerberos

This step is usually easy as Microsoft IE will likely use Kerberos single sign on by default and need no configuration changes. FireFox usually needs just a simple configuration change.

For I.E

Configure Local Intranet Domains

  1. In Internet Explorer, select Tools\Internet Options.
  2. Select the Security tab.
  3. Select Local intranet and click Sites.
  4. In the Local intranet popup, ensure that the “Include all sites that bypass the proxy server” and “Include all local (intranet) sites not listed in other zones” options are checked.
  5. Click Advanced.
  6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for WebLogic Server instances participating in the SSO configuration (for example, and click OK.

Configure Intranet Authentication

  1. Select Tools\Internet Options.
  2. Select the Security tab.
  3. Select Local intranet and click Custom Level... .
  4. In the Security Settings dialog box, scroll to the User Authentication section.
  5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.
  6. Click OK.

Verify the Proxy Settings (If you have a proxy server enabled)

  1. Select Tools\Internet Options.
  2. Select the Connections tab and click LAN Settings.
  3. Verify that the proxy server address and port number are correct.
  4. Click Advanced.
  5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.
  6. Click OK to close the Proxy Settings dialog box.

Set Integrated Authentication for Internet Explorer 6.0

  1. In addition to the settings already described, one additional setting is required if you are running Internet Explorer 6.0.
  2. In Internet Explorer, select Tools\Internet Options.
  3. Select the Advanced tab.
  4. Scroll to the Security section.
  5. Make sure that Enable Integrated Windows Authentication option is checked and click OK.
  6. If this option was not checked, restart the computer.

For FireFox

  1. Start Firefox.
  2. Enter about:config in the Location Bar.
  3. Enter the filter string network.negotiate.
  4. Set the preferences as shown below by double clicking on the names that need to be set.
Preference Name Status Type Value
network.negotiate-auth.allow-proxies default boolean true
network.negotiate-auth.delegation-uris user set string http://,https://
network.negotiate-auth.gsslib default string  
network.negotiate-auth.trusted-uris user set string http://,https://
network.negotiate-auth.using-native-gsslib default boolean true


Do you know about HelpSystems' SSO Managed Services

Still have questions? We can help. Submit a case to Technical Support.

New to Sequel? Learn more, or sign up for a free trial.

Last Modified On: May 05, 2021