I would plan anyway to migrate to a single hostname.
Anyway, your primary issue was probably a timing issue, but I wonder if SSO works based on SYSPROD as the reverse DNS is pointing to SYSTOP1.
Maybe your mapuser corrects this but I still find it a "special" solution (and Kerberos by itself is more than complex enough by default).
Original Message:
Sent: Thu September 25, 2025 11:02 AM
From: Jorge Lee
Subject: SSO Single sign on IBM i
Hello Paul,
I would also stick to just one system name, but the current environment doesn't allow that - their applications rely on those names (SYSPROD / SYSTOP1 / qsystop1).
Here's the result of the ping -a 10.10.1.20:
C:\Users\support>ping -a 10.10.1.20
Pinging SYSTOP1.PROD.COM [10.10.1.20] with 32 bytes of data:
Reply from 10.10.1.20: bytes=32 time<1ms TTL=63
Reply from 10.10.1.20: bytes=32 time=1ms TTL=63
Reply from 10.10.1.20: bytes=32 time=1ms TTL=63
Reply from 10.10.1.20: bytes=32 time=1ms TTL=63
Ping statistics for 10.10.1.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
------------------------------
Jorge Lee
Original Message:
Sent: Wed September 24, 2025 02:00 AM
From: Paul Nicolay
Subject: SSO Single sign on IBM i
Having multiple system names is asking for problems with Kerberos in my opinion (and I would get rid of it).
BTW, what's the result of a ping -a 10.10.1.20 ?
------------------------------
Paul Nicolay
Original Message:
Sent: Tue September 23, 2025 06:49 PM
From: Jorge Lee
Subject: SSO Single sign on IBM i
Hello everyone,
I am currently working on setting up Single Sign-On (SSO) with Kerberos in an IBM i environment and would like to share the configuration details and the issue we are facing, hoping someone in the community can provide guidance or has encountered a similar situation
*****************************************************************************************************************
Environment
*****************************************************************************************************************
IBM i Server
Version: 7.5
Cumulative PTF: C5100750
DNS names associated with the same server:
SYSPROD.PROD.COM (10.10.1.20)
SYSTOP1.PROD.COM (10.10.1.20, defined in CFGTCP option 12)
qsystop1.PROD.COM (alias pointing to SYSPROD.PROD.COM)
PTR record for IP 10.10.1.20 resolves to both: SYSTOP1.PROD.COM and SYSPROD.PROD.COM
Active Directory
Windows Server 2022 (10.0.20348.3692)
Domain Controller: SRVDC01.PROD.COM (10.10.1.20)
Clients
IBM i Access Client Solutions (ACS) 1.1.9.9
Client Access 7.1m0 SI68573 (still in use by some users, migration in progress)
**************************************************************************************************************
Current Configuration
**************************************************************************************************************
In IBM i NetServer, only the Kerberos authentication option was enabled using the setup wizard.
Users can successfully access shared folders via \\qsystop1 and even map them as a network drive.
Kerberos authentication on IBM i was configured as follows:
Two entries were manually added to the keytab via SSH:
keytab add krbsvr400/SYSPROD@PROD.COM -p password
keytab add krbsvr400/SYSPROD.PROD.COM@PROD.COM -p password
DSADD user "cn=SYSTOP1_9_krbsvr400,cn=users,dc=PROD,dc=COM" -pwd passw0rd -display SYSTOP1_9_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services on system SYSPROD"
KTPASS -MAPUSER SYSTOP1_9_krbsvr400 -PRINC krbsvr400/SYSPROD.PROD.COM@PROD.COM -PASS passw0rd -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL
DSADD user "cn=SYSTOP1_10_krbsvr400,cn=users,dc=PROD,dc=COM" -pwd passw0rd -display SYStop1_10_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services on system SYSPROD"
KTPASS -MAPUSER SYStop1_10_krbsvr400 -PRINC krbsvr400/SYSPROD@PROD.COM -PASS passw0rd -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL
Two user accounts were created in Active Directory through a .bat script.
kinit -k tests succeeded with both entries.
Authentication with a test user also worked correctly.
This setup was required because the application/ODBC connection uses the name SYSPROD, while the IBM i system itself is configured with SYSTOP1.PROD.COM in CFGTCP option 12.
Reported Issue
******************************************************************************************************************************************************
The error occurs randomly for some users, affecting both Client Access and IBM i Access Client Solutions:
Error in IBM i / ACS
CWBSY1017 – "Kerberos credentials not valid on system SYSTOP1 rc=612"
Error in ODBC
Runtime Error '1060':
Error code: 8057
[IBM][System i Access ODBC Driver] Communication link failure.
comm rc=8057 - CWBYS1017 - Kerberos credentials not valid on system SYSPROD rc=8057
Password length = 0, Prompt Mode = If Necessary, System IP Address = 10.10.1.20
The issue appears only randomly and specifically with Kerberos authentication on IBM i.
Could the multiple server names (SYSTOP1 / SYSPROD / qsystop1) and the way the SPN/keytab entries were created be causing these random Kerberos authentication failures?
Has anyone faced a similar issue, and what would be the best approach to stabilize SSO in this scenario?
------------------------------
Best Regards,
Jorge Lee
------------------------------