Can we have a mixed environment where some users use SSO and others still use passwords?

Yes, you can maintain a mixed environment. Users without Active Directory accounts (such as warehouse personnel with limited application access) can continue using traditional password authentication on IBM i while other users leverage SSO. Service accounts can also retain passwords as needed.

What happens to SSO if we need to failover to our HA or DR environment?

Fortra's implementation includes strategies for recovering SSO in HA/DR environments, with a mock walkthrough of the recovery process that can be added to your recovery runbook. The high availability EIM domain option maintains two synchronized copies across partitions with DNS-based failover capability.

Does implementing SSO require purchasing additional software licenses?

No, the base SSO implementation uses software already licensed on your IBM i system (Kerberos and Enterprise Identity Mapping). While this software may not be installed, it is included in your existing licensing and does not require additional purchases.

Single Sign-On for IBM i: Eliminating Passwords with Kerberos

Name: Single Sign-On for IBM i: Eliminating Passwords with Kerberos
Uploaded: 2026-05-08T19:18:16-04:00
Duration: 46 min 20 s
Description: Why are more organizations interested in single sign-on (SSO)? Is it because IT teams are tired of managing passwords? Are they frustrated with employees reusing compromised passwords? Regardless of the reason, the use of single sign-on is on the rise....

Fortra

05/08/2026

0 (0%)

Report Like Favorite

TL;DR

Single sign-on for IBM i eliminates password management overhead by setting user profile passwords to *NONE and leveraging Kerberos authentication from Windows Active Directory
The solution uses existing infrastructure (Windows domain controllers, Kerberos protocol) and requires no additional software licensing for base implementation
Enterprise Identity Mapping (EIM) provides the cross-reference between Windows user IDs and IBM i user profiles, enabling seamless authentication across on-premise, cloud, and hybrid Azure environments
Fortra offers implementation services, automated EIM management through RPA bots, managed services subscriptions, and high availability options for production environments
SSO reduces help desk costs, eliminates password reset workflows, improves security by removing weak/reused passwords, and provides a Windows-like user experience for IBM i access

The Password Problem and SSO Benefits

This webinar addresses the operational burden and security risks inherent in password-based authentication for IBM i environments. Steve Sisk, Principal Security Services Consultant at Fortra, explains how users typically manage 50+ accounts and passwords, leading to weak password practices, credential reuse across systems, and significant help desk overhead for password resets. Single sign-on (SSO) using Kerberos authentication eliminates these challenges by removing passwords entirely from IBM i user profiles, reducing operational costs, streamlining authentication, and improving security posture. The session demonstrates how SSO leverages existing Windows Active Directory infrastructure to provide seamless access to IBM i systems without requiring users to enter credentials repeatedly.

Kerberos and Enterprise Identity Mapping Architecture

The technical foundation of IBM i SSO relies on Kerberos authentication protocol and Enterprise Identity Mapping (EIM). When a user opens a 5250 session configured for SSO, Access Client Solutions (ACS) requests a Kerberos service ticket from the Windows domain controller. The domain controller validates the user's authorization and issues an encrypted ticket that is forwarded to the IBM i system. Kerberos on IBM i decrypts the ticket to authenticate the user, then EIM maps the Windows user ID to the corresponding IBM i user profile (which has its password set to *NONE). This architecture works across on-premise, cloud, and hybrid Azure environments, supporting ACS functions including ODBC/JDBC, HTTP services, and IFS share mounting.

Implementation Approach and Professional Services

Fortra's SSO implementation services include configuring Kerberos on IBM i systems (joining them to the Windows domain), setting up Enterprise Identity Mapping, and mass-loading user mappings through automated tools. The implementation covers configuration of additional services like IFS shares and HTTP, strategies for ACS deployment, and disaster recovery procedures including HA/DR environment failover. Fortra offers managed services with 12 hours of annual consulting for SSO and general IBM i security topics, an automated EIM management bot using Robotic Process Automation, and high availability options for the EIM domain. The company also provides comprehensive security services including risk assessments, penetration testing, remediation services, and the Powertech security product suite.

Chapters

0:00 - Introduction and Webinar Overview
0:46 - Why Single Sign-On?
4:09 - What's Wrong with Passwords?
12:20 - Password Alternative: SSO on IBM i
13:07 - Kerberos Authentication Technology
15:59 - How SSO Works: Authentication Flow
20:44 - Enterprise Identity Mapping (EIM)
23:02 - Complete SSO Process with EIM
24:47 - Single Sign-On Benefits Summary
28:14 - Fortra SSO Implementation Solution
31:12 - On-Premise IBM i SSO Environment
32:31 - Pure Azure SSO Environment
33:56 - Implementation Services Overview
36:41 - Additional SSO Options and Services
38:03 - Automated EIM Management Bot
40:20 - EIM Domain High Availability
41:20 - Fortra Professional Services Portfolio
44:15 - Powertech Security Products
45:16 - Resources and Closing

Key Quotes

1:03 "I have probably 50 or more accounts and passwords that I have to manage just in my work here at FORTRA."
3:32 "The overarching objective is to reduce the operating costs of passwords and user accounts in the environment."
11:02 "We often see that communication between the IBMI and the user are not encrypted. So data, meaning user IDs and passwords and even data is flowing over the network in a way that can be clearly seen."
16:33 "The password for that profile is set to star none, which is not a null password. The password with that special value, it does not exist."
28:30 "For the base implementation, there's no additional software that needs to be purchased. All that software is already licensed to you on your system."
38:51 "You do get with the bot is a full license of the Automate product that you can use to automate other repetitive processes, both in your business and environment and in the IT environment."

Categories:

» Cybersecurity » Identity & Access Management (IAM)
» Cybersecurity » Cloud Security
» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

05/12/2026

01:00 PM

05/12/2026

Transforming Black Box to Glass Box: Revealing Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1895/transforming-black-box-to-glass-box-revealing-hidden-threats-and-ai-risks-through-data-lineage/
05/12/2026

11:30 PM

05/12/2026

Implementing Effective Strategies for Active Directory Security and Data Protection

https://www.truthinit.com/index.php/channel/1888/implementing-effective-strategies-for-active-directory-security-and-data-protection/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Black Box to Glass Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-black-box-to-glass-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/19/2026

01:00 PM

05/19/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1936/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/20/2026

10:00 PM

05/20/2026

APAC: Establishing an AI Governance Framework for GenAI Throughout the Deployment Process

https://www.truthinit.com/index.php/channel/1953/establishing-an-ai-governance-framework-for-genai-throughout-the-deployment-process/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/28/2026

10:00 AM

05/28/2026

Harnessing AI: Transforming Perception into Purposeful Mastery

https://www.truthinit.com/index.php/channel/1924/harnessing-ai-transforming-perception-into-purposeful-mastery/
05/28/2026

01:00 PM

05/28/2026

AI in the Fast Lane: Effectively Managing AI Security for Small Teams

https://www.truthinit.com/index.php/channel/1951/ai-in-the-fast-lane-effectively-managing-ai-security-for-small-teams/
06/02/2026

01:00 PM

06/02/2026

Satori Spring: Insights from Recent Research on the 2026 Threat Landscape

https://www.truthinit.com/index.php/channel/1930/satori-spring-insights-from-recent-research-on-the-2026-threat-landscape/
06/04/2026

02:00 AM

06/04/2026

Mastering the Unseen: Managing Shadow AI and Agentic MCP Traffic

https://www.truthinit.com/index.php/channel/1948/mastering-the-unseen-managing-shadow-ai-and-agentic-mcp-traffic/
06/16/2026

07:00 AM

06/16/2026

Transforming Data Risk into Actionable Priorities: What to Address First

https://www.truthinit.com/index.php/channel/1952/transforming-data-risk-into-actionable-priorities-what-to-address-first/