UserAuthenticationwithDB2forWindowsNT
UserauthenticationcancauseproblemsforWindowsNTusers
becauseofthewaytheoperatingsystemauthenticates.

DB2forWindowsNTUserNameandGroup
NameRestrictions
Thefollowingarethelimitationsinthisenvironment:
Usernamesarelimitedto30characterswithinDB2.Group
namesarelimitedto8characters.
UsernamesunderWindowsNTarenotcasesensitive;
however,passwordsarecasesensitive.
Usernamesandgroupnamescanbeacombinationof
upper-andlowercasecharacters.However,theyareusually
convertedtouppercasewhenusedwithinDB2.For
example,ifyouconnecttothedatabaseandcreatethe
tableschema1.table1,thistableisstoredas
SCHEMA1.TABLE1withinthedatabase.(Ifyouwishtouse
lowercaseobjectnames,issuecommandsfromthe
commandlineprocessor,enclosingtheobjectnamesin
quotationmarks,orusethird-partyODBCfront-endtools.)
Ausercannotbelongtomorethan64groups.
DB2supportsasinglenamespace.Thatis,whenrunningin
atrusteddomainsenvironment,youshouldnothaveauser
accountofthesamenamethatexistsinmultipledomains
orthatexistsinthelocalSAMoftheservermachineandin


anotherdomain.

GroupsandUserAuthenticationonWindowsNT
UsersaredefinedonWindowsNTbycreatinguseraccounts

usingtheWindowsNTadministrationtoolcalledtheUser
Manager.Anaccountthatcontainsotheraccounts,alsocalled
members,isagroup.
GroupsgiveWindowsNTadministratorstheabilitytogrant
rightsandpermissionstotheuserswithinthegroupatthe
sametime,withouthavingtomaintaineachuserindividually.
Groups,likeuseraccounts,aredefinedandmaintainedinthe
SAMdatabase.
Therearetwotypesofgroups:localandglobal.
Localgroups.Alocalgroupcanincludeuseraccounts
createdinthelocalaccountsdatabase.Ifthelocalgroupis
onamachinethatispartofadomain,thelocalgroupcan
alsocontaindomainaccountsandgroupsfromtheWindows
NTdomain.Ifthelocalgroupiscreatedonaworkstation,it
isspecifictothatworkstation.
Globalgroups.Aglobalgroupexistsonlyonadomain
controllerandcontainsuseraccountsfromthedomain's
SAMdatabase.Thatis,aglobalgroupcancontainonlyuser
accountsfromthedomainonwhichitiscreated;itcannot
containanyothergroupsasmembers.Aglobalgroupcan
beusedinserversandworkstationsofitsowndomainand
intrustingdomains.
ThePDCholdstheSAMforthedomain.ThisSAMisreplicated
toanyBDCsinthedomain.Domaincontrollersdonothavea
localSAMdatabase.Theyholduserandgroupdataforthe


domain.Inthissense,anygroupscreatedonthePDC,localor
global,aredomaingroups.
WindowsNTmachinesthatarenotdomaincontrollers(NT

WorkstationsandsomeNTservers)willeachhavetheirown
SAMdatabases.Useraccountsandgroupscreatedonthose
machinesarelocaltothatmachine.ThereisnoCreateGlobal
Groupoptiononmachinesthatarenotdomaincontrollers.

TrustRelationshipsBetweenDomainson
WindowsNT
Trustrelationshipsareanadministrationandcommunication
linkbetweentwodomains.Atrustrelationshipbetweentwo
domainsenablesuseraccountsandglobalgroupstobeusedin
adomainotherthanthedomainwheretheaccountsare
defined.Accountinformationissharedtovalidatetherightsand
permissionsofuseraccountsandglobalgroupsresidinginthe
trusteddomainwithoutbeingauthenticated.Trustrelationships
simplifyuseradministrationbycombiningtwoormoredomains
intoasingleadministrativeunit.
Therearetwodomainsinatrustrelationship:
Thetrustingdomain.Thisdomaintrustsanotherdomainto
authenticateusersforthem.
Thetrusteddomain.Thisdomainauthenticatesuserson
behalfof(intrustfor)anotherdomain.
Trustrelationshipsarenottransitive.Thismeansthatexplicit
trustrelationshipsneedtobeestablishedineachdirection
betweendomains.Forexample,thetrustingdomainmaynot
necessarilybeatrusteddomain.


DB2forWindowsNTSecurityService
InDB2UDB,wehaveintegratedtheauthenticationofuser
namesandpasswordsintotheDB2SystemController.The

SecurityServiceisrequiredonlywhenaclientisconnectedtoa
serverthatisconfiguredforauthenticationCLIENT.

InstallingDB2onaBackupDomainController
InaWindowsNT4.0environment,ausercanbeauthenticated
ateitheraprimaryorabackupcontroller.Thisfeatureisvery
importantinlargedistributedLANswithonecentralPDCand
oneormoreBDCsateachsite.Userscanthenbeauthenticated
ontheBDCattheirsiteinsteadofrequiringacalltothePDCfor
authentication.
Theadvantageofhavingabackupdomaincontroller,inthis
case,isthatusersareauthenticatedfaster,andtheLANisnot
ascongestedasitwouldhavebeen,hadtherebeennoBDC.
AuthenticationcanoccurattheBDCunderthefollowing
conditions:
TheDB2forWindowsNTserverisinstalledontheBDC.
TheDB2DMNBCKCTLRprofileregistryvariableisset
appropriately.
IftheDB2DMNBCKCTLRprofileregistryvariableisnotsetoris
settoblank,DB2forWindowsNTperformsauthenticationat
thePDC.
TheonlyvaliddeclaredsettingsforDB2DMNBCKCTLRare"?"or
adomainname.


IftheDB2DMNBCKCTLRprofileregistryvariableissettoa
questionmark(DB2DMNBCKCTLR=?),thenDB2forWindows
NTwillperformitsauthenticationontheBDCunderthe
followingconditions:
ThecachedPrimaryDomainisaregistryvaluesettothe

nameofthedomaintowhichthismachinebelongs.(You
canfindthissettingunderHKEY_LOCAL_MACHINE,
Software,Microsoft,WindowsNT,CurrentVersion,
WinLogon.)
TheServerManagershowstheBDCasactiveandavailable.
TheregistryfortheDB2WindowsNTserverindicatesthat
thesystemisaBDConthespecifieddomain.
Undernormalcircumstances,thesettingDB2DMNBCKCTLR=?
willwork;however,itwillnotworkinallenvironments.The
informationsuppliedabouttheserversonthedomainis
dynamic,andComputerBrowsermustberunningtokeepthis
informationaccurateandcurrent.LargeLANsmaynotbe
runningComputerBrowserand,therefore,ServerManager's
informationmaynotbecurrent.Inthiscase,thereisasecond
methodtotellDB2forWindowsNTtoauthenticateattheBDC:
db2setDB2DMNBCKCTLR=xxx
wherexxxistheWindowsNTdomainnamefortheDB2server.
Withthissetting,authenticationwilloccurontheBDC,based
onthefollowingconditions:
ThemachineisconfiguredasaBDCforthespecified
domain.(IfthemachineissetupasaBDCforanother
domain,thissettingwillresultinanerror.)


DB2forWindowsNTAuthenticationwith
GroupsandDomainSecurity
DB2UDBallowsyoutospecifyeitheralocalgrouporaglobal
groupwhengrantingprivilegesordefiningauthoritylevels.A
userisdeterminedtobeamemberofagroupiftheuser's
accountisdefinedexplicitlyinthelocalorglobalgroup,or

implicitlybybeingamemberofaglobalgroupdefinedtobea
memberofalocalgroup.
DB2forWindowsNTsupportsthefollowingtypesofgroups:
Localgroups.
Globalgroups.
Globalgroupsasmembersoflocalgroups.
DB2forWindowsNTenumeratesthelocalandglobalgroups
thattheuserisamemberof,usingthesecuritydatabasewhere
theuserwasfound.DB2UDBprovidesanoverridethatforces
groupenumerationtooccuronthelocalWindowsNTserver
whereDB2isinstalled,regardlessofwheretheuseraccount
wasfound.Thisoverridecanbeachievedusingthefollowing
commands:
Forglobalsettings:
db2setgDB2_GRP_LOOKUP=local
Forinstancesettings:
db2seti<instancename>DB2_GRP_LOOKUP=local
Afterissuingthiscommand,youmuststopandstarttheDB2
instanceforthechangetotakeeffect.Thencreatelocalgroups
andincludedomainaccountsorglobalgroupsinthelocal


group.
ToviewallDB2profileregistryvariablesthatareset,type:
db2setall
IftheDB2_GRP_LOOKUPprofileregistryvariableissettolocal,
thenDB2triestofindauseronthelocalmachineonly.Ifthe
userisnotfoundonthelocalmachineorisnotdefinedasa
memberofalocalorglobalgroup,thenauthenticationfails.
DB2doesnottrytofindtheuseronanothermachineinthe

domainoronthedomaincontrollers.
IftheDB2_GRP_LOOKUPprofileregistryvariableisnotset,
then:
1. DB2firsttriestofindtheuseronthesamemachine.
Iftheusernameisdefinedlocally,theuserisauthenticated
locally.
Iftheuserisnotfoundlocally,DB2attemptstofindtheuser
nameonitsdomain,thenontrusteddomains.
IfDB2isrunningonamachinethatisaPDCorBDCinthe
resourcedomain,itisabletolocateanydomaincontrollerin
anytrusteddomain.Thisoccursbecausethenamesofthe
domainsofBDCsintrusteddomainsareknownonlytoa
domaincontroller.
IfDB2isnotrunningonadomaincontroller,youshouldissue:
db2setgDB2_GRP_LOOKUP=DOMAIN
ThiscommandtellsDB2touseadomaincontrollerinitsown
domaintofindthenameofadomaincontrollerintheaccounts
domain.Thatis,whenDB2findsoutthataparticularuser
accountisdefinedindomainx,ratherthanattemptingtolocate


adomaincontrollerfordomainx,itsendsthatrequesttoa
domaincontrollerinitsowndomain.Thenameofthedomain
controllerintheaccountdomainwillbefoundandreturnedto
themachineDB2isrunningon.Therearetwoadvantagesto
thismethod:
1. ABDCisfoundwhenthePDCisunavailable.
ABDCisfoundthatisclosewhenthePDCisgeographically
remote.