Scenario #3: Connection-based automation: Configuring Web Express Logon in an OS/400 and Kerberos environment

You are an administrator who manages the network for the shipping and receiving department for a large apparel manufacturer. Throughout the day, hundreds of manufacturer's representatives log on to the network and connect to two iSeries host systems (both running OS/400 V5R2) to access order entries, order status, and shipping and inventory information. With Host On-Demand, they have immediate, Web-based access to this data. You are in charge of maintaining this environment.

Now that you have upgraded to Host On-Demand Version 8 and OS/400 V5R2 with Kerberos (opens new browser) authentication enabled, he plans to accomplish two main tasks:

• enable single sign-on in the OS/400 environment so employees can use their Windows 2000 sign-on information to authenticate themselves to the OS/400 hosts without being prompted with a login screen
• implement Host On-Demand's Web Express Logon so employees can use their user IDs and tickets obtained from the Windows 2000 key distribution center (KDC) (opens new browser) without being prompted with a login screen

Before you implement Web Express Logon, you must configure your OS/400 environment for single sign-on capability. This requires you to configure network authentication service (NAS) (opens new browser) and Enterprise Identity Mapping (EIM) (opens new browser), both of which are available with the OS/400 V5R2 operating system. In broad terms, NAS allows an iSeries server to participate in a Kerberos realm, and EIM provides a mechanism for associating Kerberos principal names (opens new browser) (names of users in a Kerberos network) to a single EIM identifier that represents that user in the entire enterprise.They work together to provide a single sign-on environment. Host On-Demand uses this existing methodology for acquiring credentials to allow users to bypass the host session login screen.

In this scenario, you must configure NAS so your OS/400-based iSeries systems will accept Kerberos tickets from the Windows 2000 server KDC. The KDC maintains a database of principal namesand passwords within the Kerberos realm. When users attempt to access to an application, they request a ticket called a ticket granting ticket (TGT) from the KDC. If authenticated, they are granted a TGT and can access the desired application.

OS/400 single sign-on capability can work with only one iSeries host server or on multiple iSeries systems. In this scenario, you are configuring two iSeries systems.

To configure OS/400 single sign-on and Web Express Logon, you take the following steps:

Complete the planning worksheets

Enable OS/400 single sign-on: Part I

Enable OS/400 single sign-on: Part II

Begin creating your HTML file

Configure your Host On-Demand session

Finish creating your HTML file

Back to top

Click Next to complete the planning worksheets.