Kerberos SSO End-to-End: Fundamentals, Flows, and Advanced Troubleshooting

This session provides an end-to-end, practitioner-focused deep dive into Kerberos based Single Sign-On on IBM i, designed to be approachable for those new to the technology while still delivering real value to experienced engineers. We start by clearly explaining the core Kerberos concepts—tickets, principals, SPNs, and authentication flows—then progressively peel back the layers to show what actually happens during successful and failed logins. We will cover how both Network Authentication Services (NAS) and Enterprise Identity Mapping (EIM) work together within the IBM i. From there, we move beyond theory into real-world behavior, covering both single-hop and multi-hop (delegation) scenarios and why they so often break in enterprise environments. We will conclude the session by diving into advanced diagnostics and troubleshooting techniques, including common misconfigurations, delegation pitfalls, clock and DNS issues, and how to interpret logs and traces to pinpoint failures. Attendees will leave with a practical mental model of Kerberos, a clear understanding of how SSO works across hops, and concrete techniques they can immediately apply to debug complex authentication problems in production.