Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


iSeries Access for Windows - 2 phase authentication

Posted on 2010-09-15
Medium Priority
Last Modified: 2012-06-27
I'm using the iSeries Access for Windows for connection my AS400 machine.
I wanted to know - since the emulator is configured (on the Signon info) to "prompt always", I'm asked for a password first time via the iSeries (some messagebox...) and when getting to the AS400 machine, I get the the login page mode.
so... what is the purpose of the fist authentication? on wc3270 I don't need this authentication phase but I want to know if I miss something.
Question by:Cyber-EE
  • 4
  • 2
LVL 36

Expert Comment

by:Gary Patterson
ID: 33682600
The iSeries Access prompts for a password on the initial connection to the AS/400, and it caches this connection information.  

If the system is configured to allow users to "bypass logon", and the user's emulator session is similarly configured, then users can be automatically logged on without seeing a green-screen logon screen.

This cached logon information is also used for other purposes, including NetServer access, Navigator access, etc.

Other emulation products don't perform this initial authentication - it is unique to iSeries Access.

- Gary Patterson
LVL 27

Expert Comment

ID: 33687211
Although the "initial authorization" might not be done, bypassing the "login page" is done by other emulators. The open source TN5250 project will 'bypass signon' if you configure the connection to do so.

The IBM intended purpose of 'bypass signon' is to avoid sending the password in clear-text through the "login page" which, after all, is just a normal display file. The password is instead sent in an encrypted/encoded form to the telnet server. The rise in popularity of ssl or VPN connections has somewhat reduced that issue.

The iSeries Access connection can be configured to 'bypass signon'. However, some sites still force entry through the "login page" which effectively cancels the setting from the PC.


Author Comment

ID: 33689043
Hi Gary,
Tx for the good answer.
can you pls give me some more details for how to do what you mentioned:
"If the system is configured to allow users to "bypass logon", and the user's emulator session is similarly configured..."
1. how do i configure the system to allow bypass logon? I'm using the iSeries navigator...
2. how do i allow bypass from the emulator? can I do it from the "Configure PC5250" dialog (when I'm creating new session?) - just check the "bypass signon"?

tx a lot,

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 36

Accepted Solution

Gary Patterson earned 2000 total points
ID: 33690377
Set the Qrmtsign system value to *verify and tick the "bypass signon" button on the emilation session.

Many shops prohibit this practice, since accss to an unlocked workstation allows a user access to the as400 without the need for a user I'd or password.  Use with caution.


Gary Patterson

Author Comment

ID: 33691496
since I'm not familier with the AS400 at all - I just need to know how to set the Qrmtsign system value to *verify.

Author Comment

ID: 33691603
I found the way to do it...
to whom it may concern:
1. logon to the AS400
2. write the following command: WRKSYSVAL
3. if you have the permissions you will see the system vals...
=> select "QRMTSIGN" and change its value to *VERIFY

see http://www.sans.org/reading_room/whitepapers/basics/as-400-iseries-comprehensive-guide-setting-system-values-common-practice-securi_425

Author Closing Comment

ID: 33691643
see the last commnet I added - since I know nothing about as400 I only missed how to change system values

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question