Admin Alert: Configuring Windows Desktops to Use SSO

May 25, 2005 Joe Hertvik

In recent issues, Admin Alert has been covering how to configure and use IBM’s Single Sign-On technology (SSO), which allows Windows domain users to automatically authenticate and authorize themselves to use i5/OS applications without entering an OS/400 user profile and password. While prior columns have covered server configurations, this final article completes the process by discussing how to configure your Windows desktop machines to use SSO.

If your network is not already configured for SSO, be sure to read these previous three articles in the series, which cover Windows and i5/iSeries server configurations for SSO:

• Requirements and pre-configuration tasks for enabling SSO on your iSeries partitions
• Configuring your i5/OS partitions and a Windows Key Distribution Center server (KDC) to exchange Kerberos information for SSO
• Configuring an Enterprise Identity Mapping table (EIM) inside i5/OS to tell Kerberos which i5/OS user profiles Windows users should be signed on as (mapped to) when they access i5/OS partitions and applications transparently through SSO
• User desktop configurations for using SSO for i5 access from a Windows client machine (this week)

By reading these articles and following IBM’s examples, you will configure your network and i5/OS boxes to support SSO and put yourself in position to configure your Windows desktops to use SSO for automatic sign-on. You will also need to download and read IBM’s Windows-Based Single Signon and the EIM Framework on the IBM eServer iSeries Server redbook (SG24-6975-00), which I’ll refer to as “the redbook.” This manual contains step-by-step configuration tasks, which I have been summarizing and expanding on in order to provide a template for implementing SSO. You should also note that all references to i5/OS in this article refer to an i5, iSeries, or AS/400 machine running OS/400 V5R2 or above; SSO is not available for earlier versions of OS/400.

To configure Windows user desktops to automatically sign-on to i5/OS applications with SSO, here are the steps you will need to follow:

1. In each i5/OS partition where you have enabled Single Sign-On, change the Remote Sign-On Control system value (QRMTSIGN) to *VERIFY so that the system will allow your users to bypass the sign-on screen.

By default, the shipped value is *FRCSIGNON, which will not allow SSO to bypass the sign-on process. To do this on the green screen, enter the following Work with System Values command (WRKSYSVAL):

WRKSYSVAL SYSVAL(QRMTSIGN)

On the Work with System Values screen that appears, enter option 2=Change in front of the QRMTSIGN entry and press ENTER. On the Change System Value screen (CHGSYSVAL) that appears, enter *VERIFY into the remote sign-on control parameter and press ENTER. This change will take effect immediately.

This step is also discussed in section 7.3.1 of the redbook.

2. Configure EIM domain user identifiers that SSO will use to automatically sign your users on to i5 target applications.

Each user identifier contains a descriptive name for a user, the user ID the user signs on as for the source Kerberos KDC server in your Windows domain, and target entries that contain the i5/OS user ID that will be used when the source user requests a service from each of your target i5 or iSeries partitions. I covered this process in my last article. This step is also covered in section 7.2.3 of the redbook.

3. Double check the target user profiles for each i5/OS partition listed in your EIM user identifiers to insure that each profile has a home directory in the AS/400 Integrated File System (IFS) on that partition.

IBM has stated in some SSO presentations that this is a requirement, and SSO may fail if the target partition user does not have an IFS directory associated with it. To create a home directory for your target partition user in the ‘/home’ folder under the root (‘/) directory of the AS/400 IFS, run the following green-screen Create Directory command (CRTDIR):

CRTDIR DIR(‘/home/username’)

Then make sure that the user profile being used for SSO is authorized to access this folder. You can then specify the folder as the user’s home directory by running the Change User Profile command (CHGUSRPRF), like this:

CHGUSRPRF USRPRF(username) HOMEDIR(‘/home/username’)

4. For each PC that you want to configure SSO for, you must be running a Windows 2000 or above operating system.

IBM does not support SSO running on earlier versions of Windows. Also make sure that the Windows desktop is running iSeries Access for Windows V5R2M0 or V5R3M0. These are the versions that contain Kerberos support for single sign-on. In larger shops, it’s fairly common to use older iSeries Access versions, so be sure to check this out before you start. You should also download and install the latest iSeries Access for Windows service pack onto the SSO-enabled PCs, too.

5. On your Windows desktop, enable iSeries Navigator Single Sign-On support for your partitions by changing their connection properties to use Kerberos.

This is discussed in section 7.3.2 of the redbook. Make sure that you are signed on to your Windows network as a domain user who has an EIM user identifier configured with target entries for the i5 partitions you want to access through SSO. This step involves opening the Properties menu for each iSeries Navigator i5/OS partition your user will use SSO on, and then changing the Sign-On Information parameter to use the Kerberos principal name, with no prompting. Do this for every partition on which this user will be using SSO.

Once this configuration is done, iSeries Navigator will inform you that the Kerberos change will not go into effect for iSeries Navigator until the program is closed and opened again. If you have configured Kerberos, SSO, and your EIM identifier correctly, you should be able to reopen iSeries Navigator and simply click on your Kerberos-enabled partition and the partition will automatically open without requesting a user ID and password. IBM gives instructions for verifying that SSO is working correctly in the redbook, but the easiest way to verify SSO connectivity is to simply reboot your machine and then try opening each of your SSO-enabled partitions through iSeries Navigator.

After I successfully configured iSeries Navigator for SSO, I found that it not only allowed me to transparently sign on to that application without entering a user ID and password, it also automatically enabled SSO for my ODBC drivers, which were configured to use my iSeries Navigator default connection properties to retrieve their default user IDs. So with one configuration change, I also configured Microsoft Excel, Access, and any other program that used ODBC for SSO to my Kerberos-enabled partition. In addition, I also found that applications that used my OLE DB driver also worked with SSO, presumably because they, too, were set to use the iSeries Navigator defaults for their default user IDs. In fact, most PC applications that are configured to use iSeries Navigator default connection properties for i5/OS sign-on should instantly convert to SSO for automatic sign-on, as long as iSeries Navigator is set up to use Kerberos.

6. If necessary, configure PC5250 to always use Kerberos as its default sign-on protocol.

Assuming PC5250 is not set up to use default iSeries Navigator connection properties, as explained in step four, you will also need to change PC5250’s default connection properties to use Kerberos for SSO. You do this by clicking on the Properties button on the Configure PC5250 screen, as explained in section 7.3.3 of the redbook.

7. Repeat steps two through six for desktop PCs and users that you want to configure for SSO.

At this point, you will have enabled SSO on your user desktops, using the configurations and techniques I covered in all four articles in this series. Unlike the server configurations, which are more complicated but only have to be performed once, client SSO configuration is much easier to perform. There are additional steps and techniques that you can use for expanding your SSO configuration and making it easier to maintain, but these articles will get you started using SSO on your network. Good luck with the process and be sure to drop me a line to let me know how you’re doing.

References:

Admin Alert: Getting Ready for Single Sign-On, Four Hundred Guru, April 27, 2005, Joe Hertvik

Admin Alert: Configuring i5/OS and a Windows Network Server for SSO, Four Hundred Guru, May 4, 2005, Joe Hertvik

Admin Alert: Configuring an i5/OS-based EIM Table for Single Sign-On, Four Hundred Guru, May 18, 2005, Joe Hertvik

Windows-Based Single Sign-On and the EIM Framework on the IBM eServer iSeries Server, IBM Redbook (SG24-6975-00)

Configuring connection-based automation in an i5/OS or OS/400 and Kerberos environment, IBM

Single Sign-On in a Single Day!, TriAWorks

Introduction to Single Sign-On with OS/400 and i5/OS (Presentation Slides), Skyview Partners as hosted on the COMMON Belgium Web site, Carol Woodbury

Single Sign-On Myths, IT Jungle, August 19, 2003, Pat Botz

Configuring i5/OS Single Sign-On (Presentation Slides), TriAWorks Web site, Pat Botz