4.4.1 How LANSA SSO Works
When a Windows user signs onto Windows as part of a domain, their domain user account in the Windows Active Directory includes a property called the Kerberos (UPN). The UPN of a user consists of the user name, followed by an '@' character, and then the full domain in uppercase letters. For example, the UPN for Windows user 1 (user1) might be [email protected].
When [email protected] launches Visual LANSA, and if the option is selected in the Logon dialog, Visual LANSA Logon checks whether the repository contains a LANSA User which is associated with [email protected]. If it finds such a LANSA User, for example "DEVUSER", then Visual LANSA Logon starts the Visual LANSA session using the LANSA User Id of DEVUSER. If there is no association, the log on step cannot proceed.
The association between a Windows domain user and a LANSA User is specified on an IBM i by an IBM i administrator using the IBM Enterprise Identity Mapping (EIM) facility. In order to automate the access to the IBM i EIM facility, a Distinguished name and password are needed. These are specified using the facility, described in the .
If you are using a Slave System with an IBM i Master Repository, you may need to perform a 4.2 System Initialization and select the 4.2.14 Enrolled PC Users option, to update the association details in the Visual LANSA System Definition. This option will retrieve the most current list of associations between Windows domain users and authorized LANSA User Ids.
The association between a Windows domain user and a LANSA User is specified on a Windows server using the LANSA User definition in the LANSA Editor.
Also see
EIM Authorized User (COMMS_EIM_USER) in the