Connection issue between Server 2008R2 and IBM i5/OS Netserver.

I have an issue, connecting between a new Windows Server 2008R2 and an IFS share on our i5.  We have batch jobs, which run from a shared folder, located within our Wintel environment, which need connect to the i5 to run.  These run successfully on our old Windows 2003 servers, and didn’t default to trying to login with credentials on our domain, as opposed to using local details.  

The server is login in with an account, which has the correct permissions in Netserver.  

The Wintel server is running the latest patches and using client access v5m4r0, The i5 is running at v5m4r5.  

To test this issue, I have made the following changes on our test environment.  In Windows - I have changed the LAN manager value to disabled and I have also changed the LAN manager authentication level to “Send LM & NTLM – Use NTLMv2 session security if negotiated” The i5 is set to QPWDLVL 2.  This has not resolved the issue.  

I hope someone else has had this issue and can help..
PlatformITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Have you followed this process?

http://www-01.ibm.com/support/docview.wss?uid=nas8N1018525

Try specifying the user name using the name of the NetServer, or the IP address of that system:

AS400NETSERVERNAME\VALIDAS400USERID

- Gary Patterson
0
PlatformITAuthor Commented:
Hi Gary

I have seen that document and made those changes - still the same issue.  

If you manually connect to the ifs share, you can only login by using servername\username.  Otherwise it defaults to the domain.  Even with a manually set network share, the batch jobs wont connect, running from the windows server.  

Thanks.
0
Gary PattersonVP Technology / Senior Consultant Commented:
Need some clarification:

If you manually connect to the ifs share, you can only login by using servername\username.  Otherwise it defaults to the domain.  Even with a manually set network share, the batch jobs wont connect, running from the windows server.  


Are you saying you can or cannot manually connect to the share using servername\username?

What exactly do you mean by "Even with a manually set network share"?

When you refer to "batch jobs ... running from the windows server", what exactly do you mean?  How, exactly do these jobs run?  Are they scheduled tasks in the Windows Task Scheduler?  Are they services?  Are they BAT files that a user manually executes?  How do they establish a connection to the share?

Can you post the Security tab values from Navigator - YourSystemName - Network - Servers - TCP/IP - right click on NetServer and select Properties?

Thoughts:

1) Make sure the user ID that the Windows batch processes are running under isn't disabled.  In Navigator:

Navigator -> YourSystemName->Network->Servers->TCP/IP.   Right-click on I5/OS NetServer and selecte "Disabled User IDs".

Then try running a Win batch job and check the QSYSOPR message queue to see if the profile is getting disabled for NetServer after a few failed connection attempts.

2) Try executing the problem batch jobs while watching netserver status in Navigator.  The Status page shows counts for unknown user and password violations.  Useful to know which counter is ticking up.

3) One thing I want to mention, Windows file sharing connections are made on a session-by-session basis.  If I log onto Windows, and browse to a file share or map a drive to a file share, that connection or drive mapping is only used by my session.  If Windows Task Scheduler fires off a job, it needs to be able to establish an independent connection.  One way to do this is to have the task map a drive.  Assuming it is a BAT script:

net use q: \\servername\sharename password /user:servername\username

Then modify the BAT script to use the Q: drive.  Drawback, of course, is the need to specify the password in plaintext.

- Gary Patterson
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Gary PattersonVP Technology / Senior Consultant Commented:
Had to look around to find it, but here's an article that talks about why this can be an issue, and some recommended mechanisms for resolving it:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1016520

Note that one solution is to change the NetServer domain to match the Windows domain.  

That's a very good fix.  I've set up NetServer like this in a couple of environments, and it does seem to reduce the volume of Windows / NetServer authentication issues and connection re-prompts.  

But if you change it for an existing installation, it can have some temporary repercussion for users that have saved passwords, and scripted drive mappings that specify a domain name.  So be prepared to deal with that kind of fallout if you make the change.

With Netserver on the same domain, and with Windows and IBM i user ID names and passwords in sync, this enables "promptless" NetServer connections.

Finally, make sure you are running the latest NetServer PTFs.  What cume level are you running on your server (WRKPTFGRP - look at level on SF98450)?  Latest for V5R4 is level 12094 / C2094540 from April 16, 2012.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlatformITAuthor Commented:
Hi Garry,

We are going to pause looking into this issue for a while.  I apperciate your help and I shall read the last link that you send.  

Thanks.

Glen.
0
Gary PattersonVP Technology / Senior Consultant Commented:
No problem - feel free to post back if this doesn't get your problem resolved.  This is a pretty common family of problems, and usually fixable.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.