Enterprise Identity Mapping (CMS kerberos authentication)
- Open I Navigator from Access Client Solutions
- Go to Network
- Go to All Tasks
- Go to Enterprise Identity Mapping
- Go to Domain Management
- Right Click on EIM and select Connect (Reconnect)
-
Enter the password hadtificate
- Right click on Identifiers and select Open, to ensure users are visible and there is good connection
- Go back to EIM (Localhost) Tab
- Right Click Identifiers and select "New Identifier"
- Enter Identifier name. Identifier = Firstname Lastname (i.e John Smith)
- Enter Description. This should be the title of user
- Alias does not need to be filled out
- Select "OK"
- Select the "Associations" Tab on the left hand side
- Select "Add"
- Use "Browse" to select the "GRANDVILLE.LOCAL" domain. Type will be kerberos automatically.
- Select the Domain and press OK
- Ensure Registry value shows "GRANDVILLE.LOCAL"
- The user input will be firstname.lastname in most cases. This user needs to match the login user from Active Directory. (i.e. John.Smith, or for Service Pack spack, as it has different login)
- For GRANDVILLE.LOCAL kerberos authenticaion, ensure that the Association type is "Source"
- Users are authenticating FROM active directory TO the AS400
- After information is entered and verified, press OK to add the association
- Select "Add" to add another association
- The Registry might already show S1004D1C.GRANDVILLE.LOCAL. STILL click browse and select the option for the domain to ensure it is active
- User entry will now be the AS400 (CMS) username to be associated. (i.e. JSMITH)
- The association type for this will be the Target.
- Once information is verified, press OK.
This will be all the steps to complete the authentication on the AS400 (iNavigator) side. Now the clients profile on the machine must be modified
- Open Access Client Solutions
- Go to system configurations
- If previous configuration exists. Go to Edit. If not, select NEW
- System name MUST be S1004D1C
- Select the connection tab (2nd tab on top row)
- Select the option for "Use kerberos authentication; do not prompt"
- Select OK to save the configuration
- If user has any existing 5250 emulator sessions saved, remove and ensure the connection protocol is "Use IBM i Access Client Solutions setting"
For ODBC Excel Connections, Clear the Connection with the following command
Use below command to remove saved authentication.
cwbcfg /host S1004D1C /uid username /del
Re-open document, when prompted, select Kerberos Authentication