We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.

Krzysztof,

the difficulty is to change the password of the Kerberos service account in the AD and the IBM i Kerberos principal at the same time, or at least at a time when there is no SSO connection. 

The Kerberos ticket is encrypted using AES, which is a symmetric key protocol (the same key is used to encrypt and decrypt). The key that encrypts is the password of the AD Kerberos service account, the key that decrypts is the password of the IBM i principal. Therefore, they must be identical.

For your information, our AD-iCT software dedicated to IBM i SSO will integrate this function in its next version, in particular through a REST API that allows you to do the operation from a PowerShell in the AD.

We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.

Hi Dominique,

While we are familiar with the command line procedure, managing over 80 partitions with 15 principals each, and requiring a unique password change every 90 days poses a significant challenge. This is why I'm seeking a helper tool or solution to streamline this process. If any upcoming features or solutions address this specific scenario, I would be interested in learning more about them.

Krzysztof,

the difficulty is to change the password of the Kerberos service account in the AD and the IBM i Kerberos principal at the same time, or at least at a time when there is no SSO connection. 

The Kerberos ticket is encrypted using AES, which is a symmetric key protocol (the same key is used to encrypt and decrypt). The key that encrypts is the password of the AD Kerberos service account, the key that decrypts is the password of the IBM i principal. Therefore, they must be identical.

For your information, our AD-iCT software dedicated to IBM i SSO will integrate this function in its next version, in particular through a REST API that allows you to do the operation from a PowerShell in the AD.

We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.

Hi Krzysztof,

One method of streamlining password changes for Kerberos service principal is the use of computer accounts instead of user accounts.  In contrast to user accounts, more than one service principal is allow computer account.  The only service principal requiring a user account is HTTP.  Transitioning to computer accounts would reduce the password activities to two distinct actions without consideration to the quantity of service principals defined for a particular IBM i partition.

We could assist you with transitioning to customer accounts along with process to facilitate password change.

Hi Dominique,

While we are familiar with the command line procedure, managing over 80 partitions with 15 principals each, and requiring a unique password change every 90 days poses a significant challenge. This is why I'm seeking a helper tool or solution to streamline this process. If any upcoming features or solutions address this specific scenario, I would be interested in learning more about them.

Krzysztof,

the difficulty is to change the password of the Kerberos service account in the AD and the IBM i Kerberos principal at the same time, or at least at a time when there is no SSO connection. 

The Kerberos ticket is encrypted using AES, which is a symmetric key protocol (the same key is used to encrypt and decrypt). The key that encrypts is the password of the AD Kerberos service account, the key that decrypts is the password of the IBM i principal. Therefore, they must be identical.

For your information, our AD-iCT software dedicated to IBM i SSO will integrate this function in its next version, in particular through a REST API that allows you to do the operation from a PowerShell in the AD.

We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.

Hi Steve,

That is a very good suggestion. Thank you.

Would you be so kind as to share the technical documentation links with me?

This will allow me to assess what is involved and determine if there is any external support required.

Hi Krzysztof,

One method of streamlining password changes for Kerberos service principal is the use of computer accounts instead of user accounts.  In contrast to user accounts, more than one service principal is allow computer account.  The only service principal requiring a user account is HTTP.  Transitioning to computer accounts would reduce the password activities to two distinct actions without consideration to the quantity of service principals defined for a particular IBM i partition.

We could assist you with transitioning to customer accounts along with process to facilitate password change.

Hi Dominique,

While we are familiar with the command line procedure, managing over 80 partitions with 15 principals each, and requiring a unique password change every 90 days poses a significant challenge. This is why I'm seeking a helper tool or solution to streamline this process. If any upcoming features or solutions address this specific scenario, I would be interested in learning more about them.

Krzysztof,

the difficulty is to change the password of the Kerberos service account in the AD and the IBM i Kerberos principal at the same time, or at least at a time when there is no SSO connection. 

The Kerberos ticket is encrypted using AES, which is a symmetric key protocol (the same key is used to encrypt and decrypt). The key that encrypts is the password of the AD Kerberos service account, the key that decrypts is the password of the IBM i principal. Therefore, they must be identical.

For your information, our AD-iCT software dedicated to IBM i SSO will integrate this function in its next version, in particular through a REST API that allows you to do the operation from a PowerShell in the AD.

We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.

Hi Krzysztof,

To implement computer accounts for Kerberos requires rebuilding the Kerberos configuration on IBM i and on the Windows domain controllers.  An IBM i administrator and Windows administrator are required.  The change will require about one hour during which time SSO will be unavailable for about 20 minutes.  EIM (Enterprise Identity Management) is not impacted by this change.

Let me know if you have additional questions.

Hi Steve,

That is a very good suggestion. Thank you.

Would you be so kind as to share the technical documentation links with me?

This will allow me to assess what is involved and determine if there is any external support required.

Hi Krzysztof,

One method of streamlining password changes for Kerberos service principal is the use of computer accounts instead of user accounts.  In contrast to user accounts, more than one service principal is allow computer account.  The only service principal requiring a user account is HTTP.  Transitioning to computer accounts would reduce the password activities to two distinct actions without consideration to the quantity of service principals defined for a particular IBM i partition.

We could assist you with transitioning to customer accounts along with process to facilitate password change.

Hi Dominique,

While we are familiar with the command line procedure, managing over 80 partitions with 15 principals each, and requiring a unique password change every 90 days poses a significant challenge. This is why I'm seeking a helper tool or solution to streamline this process. If any upcoming features or solutions address this specific scenario, I would be interested in learning more about them.

Krzysztof,

the difficulty is to change the password of the Kerberos service account in the AD and the IBM i Kerberos principal at the same time, or at least at a time when there is no SSO connection. 

The Kerberos ticket is encrypted using AES, which is a symmetric key protocol (the same key is used to encrypt and decrypt). The key that encrypts is the password of the AD Kerberos service account, the key that decrypts is the password of the IBM i principal. Therefore, they must be identical.

For your information, our AD-iCT software dedicated to IBM i SSO will integrate this function in its next version, in particular through a REST API that allows you to do the operation from a PowerShell in the AD.

We're encountering a new challenge where our KDC/AD administrators have observed that IBM Kerberos principal account passwords are not being regularly changed. To address this, we intend to utilize commands such as CHGKRBPWD, RMVKRBKTE, and ADDKRBKTE and store encrypted passwords somwhere onto IFS. However, it's possible that someone has already implemented a similar solution and would be willing to share it, preferably utilizing Ansible.

Would anyone who has experience with this be willing to provide guidance or share their implementation?

I've checked IBM LAB Security Services offering and I did not find any tool available.