Single Sign-On with Windows 2003 and iSeries...

[jrjuiliano]

Anyone done this?

We're going to be deploying a document management system that uses both MS SQL, Windows and our patient management system on an iSeries. Unfortunately the user names and passes for Windows are different than on the iSeries, and they need to be.

Has anyone deployed SSO for their Windows/iSeries environment? Seems relative straigtforward, but would like to know if anyone had any issues, gotchas or "stay the hell away from it" stories.

Thanks.

J.R.

 

[jmd0252]

One word of caution,, a lot depends on the password scheme you setup on your windows system and on your iseries. Normally the iseries is less forgiving about password validations, and how many times a user gets to try and signon before something happens. Example,, on our system, after trying to signon 3 times, and not being successful. We have the machine configured to disable the userid,, ie. that user cannot signon anywhere, until someone goes into security and enables the userid. Typically the password for the user on the iseries expires after 60 to 90 days,, and a new one issued, which can cause problems, as most windows users never change their passwords. So you will have some admin. work to do with passwords.

 

[jrjuiliano]

jmd0252,

Thanks for the insight. I have a sort of reverse setting, with Windows passwords being changed at interval and the iseries not so much. Although I do believe we are also set to 3 tries before their profile is disabled to (might be 5; have to check again).

My only other options (to reduce admin overhead) is to match Windows / iSeries usernames and passwords and pretty much disable password changing, which I'd rather not do, or disable my password complexity requirements and manually create an account on the local machine with the iSeries credentials. So either way it can become a pain and hopefully SSO could solve that in the long run.

Thanks again for your reply!

J.R.

 

[Kozusnik]

Since our users have to log into an application after the iSeries logon, the security at the connection/initial login is not as relavent. We've disabled the qmaxsignon system value. (Not a good idea!!!) Someone could brute force qsecofr. However, not my call.
To aid in password changes, I wrote a small application to allow users to change their iSeries password. You're welcome to use it if you'd like. Let me know and I'll ship a copy to you. It captures the username from windoze then requires the old password along with the new (and re-type new) allowing our users to syncornize their own passwords and cut down on some calls to our helpdesk.

Mark

There are 10 types of people in this world, those who understand binary and those who don't.

 

[jrjuiliano]

Mark, thanks.

As far as I know this app will run either with a "runas" command in the front or it will just send the current Windows user name and (password?) along with a kerberos name. So using the name mapping and Active Directory kerberos should work like a charm, and aside from kerberos errors we shouldn't have to worry about account lockouts.

At any rate it's something I have to research and do some major testing. Not to mention I'll probably have to order the Crypto ptf's that didn't come with the system.

Thanks all for your help!