IBM i Global

IBM i Global

Connect, learn, share, and engage with IBM Power.

 View Only

  • 1.  What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    My system says it is for V7R4 and I haven't ran that in years.

    I realize that some products are skip ship and aren't always renewed with each release but I cannot find any mention of this product.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------


  • 2.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    Hi Robert, 

    This would be for integrating with AD / Kerberos. 

    see : https://www.ibm.com/docs/en/i/7.4.0?topic=scenarios-scenario-configuring-network-authentication-service  

    I agree, though even Google these days is quite an effort to get information from. 



    ------------------------------
    Marius le Roux theIBMiGuy
    Owner , IBM i Consultant & Technology Strategist
    MLR Consulting
    ------------------------------

    Original Message


  • 3.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    As far as I know, 5770NAE is required when setting up a single signon environment. Checkout https://www.ibm.com/docs/en/i/7.5.0?topic=scenarios-scenario-enabling-single-sign-i.

    5770NAE is, indeed, not refreshed with V7R5. Checkout https://www.ibm.com/docs/en/i/7.5.0?topic=reference-licensed-program-releases-sizes.

    FYI, it is refreshed with V7R6. Checkout https://www.ibm.com/docs/en/i/7.6.0?topic=reference-licensed-program-releases-sizes.



    ------------------------------
    Marc Rauzier
    ------------------------------

    Original Message


  • 4.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    You take this link:  https://www.ibm.com/docs/en/i/7.5.0?topic=scenarios-scenario-configuring-network-authentication-service  

    and you see 5770-NAE.

    Change 1 character in the link and get https://www.ibm.com/docs/en/i/7.6.0?topic=scenarios-scenario-configuring-network-authentication-service

    and you no longer see 5770-NAE.

    Oh well, we tried kerberos and ended up abandoning that project.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


  • 5.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    Interesting. 

    I have configured SSO on dozen if not hundreds LPARs. Everywhere it communicates with Windows REALM and I have never installed 5770-NAE, while the SSO works well. 

    I need to read about the product carefully what it actually does. Thanks for pointing it out Robert!



    ------------------------------
    Bartlomiej Grabowski
    IBM Champion - Platinum Redbook Author and Principal System Specialist
    ------------------------------

    Original Message


  • 6.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 21 days ago

    Could it have been for old releases ? V5R4 perhaps? now with later releases it was absorbed into the OS itself? 

    Runs     IBM i 5.4, or later, with the following options and licensed programs installed:

      • IBM i Host Servers (5770-SS1 Option 12)
      • Qshell Interpreter (5770-SS1 Option 30)
      • Network Authentication Enablement (5770-NAE)


    ------------------------------
    Marius le Roux theIBMiGuy
    Owner , IBM i Consultant & Technology Strategist
    MLR Consulting
    ------------------------------

    Original Message


  • 7.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 20 days ago
    Edited by Satid S 20 days ago

    Dear Bartlomiej 

    >>>> I have configured SSO on dozen if not hundreds LPARs. Everywhere it communicates with Windows REALM and I have never installed 5770-NAE, while the SSO works well. <<<<

    If my memory is still intact, 5770-NAE is needed only for running Kerberos Server in IBM i.  In your case, you use Kerberos Server on Windows Server instead.  I know a few of my IBM i customers who use SSO and all of them always run Kerberos Server on Windows Server.



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 8.  RE: What is:  5770NAE   *BASE    5050    Network Authentication Enablement

    Posted 20 days ago

    Hi Rob,

    If I recall correctly, NAE is used for Kerberos authentication in a MS Windows domain environment for SSO.

    https://www.ibm.com/docs/en/i/7.6.0?topic=security-network-authentication-service

    Network authentication service

    Last Updated: 2025-04-08

    Network authentication service allows the IBM i product and several IBM i services, such as the IBM i Access Client Solutions, to use a Kerberos ticket as an optional replacement for a user name and password for authentication.

    The Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an unsecure network. Authentication of principals is completed through a centralized server called a Kerberos server or key distribution center (KDC).
    Note: Throughout this documentation, the generic term Kerberos server is used.

    A user is authenticated with a principal and a password that is stored in the Kerberos server. After a principal is authenticated, the Kerberos server issues a ticket-granting ticket (TGT) to the user. When a user needs access to an application or a service on the network, the Kerberos client application on the user's PC sends the TGT back to the Kerberos server to obtain a service ticket for the target service or application. The Kerberos client application then sends the service ticket to the service or application for authentication. When the service or application accepts the ticket, a security context is established and the user's application can then exchange data with a target service. Applications can authenticate a user and securely forward his or her identity to other services on the network. When a user is known, separate functions are needed to verify the user's authorization to use the network resources.

    Network authentication service implements the following specifications:

    • Kerberos Version 5 protocol Request for Comment (RFC) 1510 and RFC 4120
    • Many of the de facto standard Kerberos protocol application programming interfaces (APIs) prevalent in the industry today
    • Generic Security Service (GSS) APIs as defined by RFCs 1509, 1964, 2743, and 4121

    The IBM i implementation of network authentication service operates with authentication, delegation, and data confidentiality services compliant with these RFCs and Microsoft's Windows Security Service Provider Interface (SSPI) APIs. Microsoft Active Directory uses Kerberos as its default security mechanism. When users are added to Microsoft Active Directory, their Windows identification is equivalent to a Kerberos principal. Network authentication service provides for interoperability with Microsoft Active Directory and its implementation of the Kerberos protocol.

    Mike Rydzewski



    ------------------------------
    Michael Rydzewski
    ------------------------------

    Original Message


Related Content