Profound Logic Forums

I have configured Kerberos and it works good. When i launch Genie in the Webbrowser i become a Kerberos ticket, but then i get the sign on Screen.
How can i bypass the sign on Screen in the Genie Session?

did you modify your httpd.conf file and restart Profound UI as instructed here?

http://www.profoundlogic.com/docs/display/PUI/Kerberos

Yes, i modified the httpd.conf based on the manual.
I become i kerberos ticket when i access the URL, i can this with the 'klist' command.
But then i become the sign on screen, it shows like the sign on screen on the 5250 emulation.

I don't have any idea what i can do now.

Maybe i have to edit the userprofile on the system i?

The default "httpd.conf" directives allow for a dual-purpose setup. It will use Kerberos only when a certain URL pattern is used. Otherwise, the 5250 sign on display will be used.

To launch using Kerberos authentication through the HTTP server:

http://yourserver:8080/profoundui/auth/genie

To make all URLs use Kerberos authentication, you'd have to put the example directives inside a Directory block which applies to all URLs.

Another thing to look at is your web browser. Which one are you using? The only current browser which will do Kerberos without any configuration is Chrome. In Internet Explorer, you have to turn on the option:

Internet Options->Advanced->Security->Enable Integrated Windows Authentication.

For FireFox, see here:

http://grolmsnet.de/kerbtut/firefox.html

My default Browser is Chrome.
I attached a Screenshot of the Chrome window and the httpd.conf file from the HTTP Server.
Which block i have to edit?

The configuration looks fine -- you'd only have to make changes if you want to use a different URL, other than /profoundui/auth/genie.

We can look at that separately after we get it working for you, if you like.

A couple of things to consider:

1. I think the basic Kerberos setup is good, because you would not even get the Genie page at all (you'd get an authentication error) if this was not working properly. When you use the /profoundui/auth/genie URL, Kerberos authentication is required to even view the page. So that much is good, I think.

2. Check the system value QRMTSIGN. This must be set to *VERIFY to bypass the 5250 sign on display.

3. Have you configured Enterprise Identity Mapping? This is required in order for the system to map the Windows sign on to an iSeries profile.

The system value QRMTSIGN is set to *VERIFY and Enterprise Identity Mapping is also configured.
The Kerberos authentication works with the sytem i access for windows 5250 emulation very good and when i access the /profoundui/auth/genie URL the Client get a Kerberos Ticket from the system i.
So Kerberos with the HTTP Server works.

In that case, it seems that you have everything configured correctly. If you look at the PROFOUNDUI HTTP server jobs, you can find the job that handles your Genie session by looking for a message like this:

'Handling 5250 session for device QPADEVXXX'

When the automated sign on fails, are there any messages in the job log?

The way it works is like this:

1. Once you are authenticated to the HTTP server using Kerberos (which looks to be working properly in your case), the system creates a profile token in the job. This due to the 'ProfileToken' directive in the "httpd.conf".

2. Genie simply looks for this token, and if present, passes it along to the system APIs which establish the 5250 session.

3. If the system API accepts the token, the sign on display is bypassed automatically.

4. If it rejects the token for some reason, a message gets put into the job log, but the job doesn't fail, you just come to the sign on display.

Are there any useful messages in the log?

I attached the JobLog of the HttpServer Job.

I can't see any error message.

In that case, it seems you have everything set up properly -- I'm not sure what else to check.

I'd recommend opening an issue with technical support so that we can look at this with you further -- possibly over a web meeting.