How to enable Kerberos authentication in Host Integration Server 2006

Host Integration Server uses a client\server interface to provide secure connections for client to server and server to server communication. Enforcing authentication on the client/server interface provides the following benefits:

  • Access to resources (e.g. 3270 LUs) is granted based on user account or group membership
  • Message encryption, detection of replayed packets, detection of messages received out of sequence, mutual authentication, & signed messages and verified signatures.
  • Integration with Windows security
  • Support for SSO (Single Sign-On)

The following authentication (logon) methods are supported in HIS 2006:

  • NTLM
  • Kerberos

NTLM authentication has been supported in Host Integration Server for quite some time (going back to the SNA Server days). Kerberos authentication was added in HIS 2006.

The HIS 2006 Client will always try to use Kerberos if the target HIS 2006 server is setup to use Kerberos. If Kerberos is not enabled, NTLM authentication will be used.

In order to configure the HIS 2006 Servers for Kerberos authentication, you have to set a Server Principal Name (SPN) for each HIS 2006 Server.

The SETSPN utility can be used to create the SPN. Please refer to the following for more details on the SETSPN utility:

The following is the correct syntax to use when creating the SPN for HIS 2006 Servers:

setspn –A HISSERVICE/<HIS 2006 Server name> <domain>\<HIS 2006 Service account>

HISSERVICE is the Service Class that has been chosen for HIS 2006.

You will need to run this command once for each HIS 2006 Server that you want to enable Kerberos support for.

If you want to create a SPN for a HIS 2006 Server named HISSERVER1 that was configured to use DOMAIN1\HIS_Service as the service account for the HIS services, the correct SETSPN syntax is as follows:


Note: Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.

The HIS 2006 client takes the Service Class (HISSERVICE) and the name of the target HIS Server (Sponsor server or application server) and forms the SPN that it will try to validate. A request is then sent to a Domain Controller to find out if the SPN name is registered. If the SPN name is registered, it is returned to the HIS 2006 Client and Kerberos authentication will be used.

The following is a basic sequence of events that occurs during a HIS 2006 Client logon using Kerberos:

1. The HIS Client DMOD calls AcquireCredentialsHandle() with “Negotiate” for the security package name.

2. InitializeSecurityContext() provides the Server Principal Name (SPN) for the target server.

3. The client then sends a Ticket Granting Ticket (TGT) and a session ticket request to the Key Distribution Center (KDC).

4. The HIS 2006 client then presents the session ticket to the target server during connection setup.

5. The HIS Server DMOD calls AcquireCredentialsHandle() with “Negotiate” for the security package name.

6. The HIS Server DMOD calls AcceptSecurityContext().

7. The session ticket is then verified.

If SnaBase is running as an application (as opposed to as a Windows service) on a HIS 2006 client, you can put the mouse cursor over the SnaBase Systray icon to determine if Kerberos or NTLM authentication is being used. If the mouse cursor is moved over the SnaBase icon, you may see something similar to the following:

Host Integration Server - <HIS Server Name> (NTLM) (Secure)

<HIS Server Name>would actually contain the name of the HIS 2006 Server that the client has connected to as its sponsor server. The authentication method is then shown next in parentheses and will be either NTLM or Kerberos. Finally, the (Secure) value indicates that HIS client/server encryption is enabled.

If SnaBase is running as a Windows service on the HIS 2006 Client, a SnaBase Systray icon will not be present, so this method for determining the sponsor server, authentication method, and encryption setting is not available. You’d have to use HIS traces using snatrace.exe to capture the startup of the SnaBase process and/or SNA application to see this information.