1

I am trying to create a single-sign on connection to a System i server using the example published in IBM's iSeries Telnet Enhancements RFC 4777 within a client telnet app written in C++.

The code sample given calls AcquireCredentialsHandle and then a call to InitializeSecurityContext. The call to InitializeSecurityContext returns an error of SEC_E_TARGET_UNKNOWN, presumably because it does not understand the target name I am passing.

The RFC 4777 says this target name should be a string with kbsrv400 then my server name fully qualified in lower case. I interpretted this as "krbsrv400/iseries.domain.com". I've tried a variety of combinations here but can't get anything to work and not yet found any other code samples that use the MS SSPI API to connect to IBM System i.

I know the Kerberos setup on the System i and domain is working OK as IBM's own iSeries Access is able to login OK and perform a telnet 5250 signon using kerberos.

I am running on Windows 7 signed into a domain. The domain is setup under Active Directory in Windows 2008. I'm using MS Visual Studio 2005 to build my telnet app. The System i server OS is V6R1.

Has anyone got this sample code working?

Any advice on what the format of the target name should be when using it to talk to System i?

Thanks!

Additional info: 9/8/2011

Have got this working OK under Windows XP client with a Windows 2003 managed Domain.

There were two errors in the RFC:

1) It said to use a name of "krbsrv400/spi name" but looking at the ticket in kerbtray that was generated when I logged in using iSeries Access, I saw the actual format was "krbsvr400/spi name".

2) The RFC said to pad the ticket length sent to the system i but when I used Wireshark to look at the IBM iSeries access telnet, I found they did not pad it.

Changing the above got single-signon working OK in my app on Windows XP. I am still experiencing problems on Windows 7.

This is a different domain (managed by the company, and on Windows 2008 and Windows 2003 servers across the world) and with a different iSeries.

Strangely, I can use Kerberos login in System i Access OK, but when I look in kerbtray I do not see a kerbsvr400/... ticket for the system i machine like I do on Windows XP. My app does not work and fails with a SEC_E_TARGET_UNKNOWN error.

Rich
  • 35
  • 5
  • Two things: 1. Is the kerberos realm you are signed into the same as the kerberos realm you used for the System i? If not, are the two in some kind of trust relationship? 2. Windows uses AD to lookup the SPN of your service, so have a look inside your ActiveDirectory if you find a `servicePrincipalName` for your System i machine. – schlenk Jul 27 '11 at 23:06
  • Thanks for some feedback. We use IBM EIM to establish the trust relationship between the System i and Windows domain. Will do some digging to see if I can get the SPN locked down. – Rich Aug 09 '11 at 08:51
  • I know it's been 5 years but I will give it a try... Could you post your code? I'm trying to implement the same thing, following the RFC example and I'm getting a different return code. SEC_I_CONTINUE_NEEDED. I think it would be really helpful if you could find and post your code. – muku Oct 04 '16 at 10:03
  • I can't publish the code as it is now owned by a different company, and I don't have access, but as I recall, it was identical to the RFC code bar the notes I made above. If I recall, the SEC_I_CONTINUE_NEEDED is when your authentication has to go through multiple phases, I think it is just a case of taking the returned token and passing it through the same API again. Think there is an example on the MSDN site. – Rich Oct 05 '16 at 11:38
  • OK. Thanks for getting back to me. I'm sort of progressing through this. I still get the same return code. This time though the token I receive is around 3200 bytes. At first it was just 64 so I knew something was fishy. I speculate the return code must be OK. I pad the token as described in the RFC and pass it to the 5250 telnet session but SSO doesn't work. I'm trying to figure out what's going on at the moment. I'll try to pass it without padding as you say above. – muku Oct 06 '16 at 10:56

0 Answers0