The idea was to let users, who have accounts in the MS AD, log on to Informix database running on Solaris without requiring to enter credentials again as they are already authenticated in the domain on their Windows workstations. So, we will configure Informix for Kerberos and Single Sign-On (SSO) authentication for Windows clients. This configuration can be called the logical conclusion of a previous configuration with PAM.

Informix box must be preconfigured and joined AD domain like in this my example for Solaris and MS AD. Installing the latest patches is strongly recommended as some related bugs were fixed recently in Solaris and Informix.

  1. On any Domain Controller:
    • create a service account in AD, one per server/alias
    • run setspn -A <sso_alias>/<informix_server> <informix_server>
    • run ktpass -princ <sso_alias>/<informix_server> -mapuser <serv_acc>@DOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass <serv_acc_password> -out my.keytab
    • upload generated keytab file to Informix server
  2. On the Informix box:
    • run ktutil and insert generated key to existing keys file:
      ktutil:  rkt /upload/my.keytab
      ktutil:  wkt /etc/krb5/krb5.keytab
      ktutil:  quit
    • run klist -e -k /etc/krb5/krb5.keytab to check keys file
    • create <informix_home>ids/etc/concsm.cfg file with one row like this:
      GSSCSM("/app/informix/ids/lib/csm/", "", "c=1,i=1")
    • add sso alias to Informix onconfig file
    • add sso alias to sqlhosts file:
      ssoalias         ontlitcp        hostname      1526   s=7,csm=(GSSCSM)
  3. On all Windows workstations:
    • latest version of IBM Informix-Connect must be installed
    • create concsm.cfg file in the C:\Program Files\IBM\Informix\Connect\etc folder with one row like this:
      GSSCSM("client=C:\Program Files\IBM\Informix\Connect\lib\client\csm\igsss11a.dll", "", "c=1,i=1")
    • run setnet32 and describe server like on my screenshot, don’t forget specify options: s=7,csm=(GSSCSM)
    • test using ilogin or define ODBC source; leave username and password fields empty

To check AD accounts from Unix or debug Kerberos and SSO use the following tools:

  • klist, ldapsearch, ldaplist, getent
  • krb-diag