[29249] in Kerberos
Re: support SSO in Windows with Keberos TGT
daemon@ATHENA.MIT.EDU (Sylvain - MVP GPOs)
Wed Feb 13 18:15:47 2008
From: "Sylvain - MVP GPOs" <sylvaincortes@nospam_hotmail.com>
In-Reply-To: <mailman.170.1201506028.5144.kerberos@mit.edu>
Date: Thu, 14 Feb 2008 00:12:27 +0100
MIME-Version: 1.0
Message-ID: <47b3798d$0$8186$426a74cc@news.free.fr>
X-Complaints-To: abuse@proxad.net
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
perharps you can have a look on www.centrify.com which provide a interop SSO
between Windows/Unix/linux based on Kerberos...
sylvain
--
Sylvain Cortes
MVP GPOs - http://www.gpomasters.com
PROCHAINE REUNION DE LA COMMUNAUTEE ACTIVE DIRECTORY LE 29 JANVIER -
INSCRIPTION SUR WWW.CADIM.ORG
Rejoignez la communauté Active Directory et Identity Management !!!
http://www.cadim.org
"Eswar S" <eswars@huawei.com> a écrit dans le message de
news:mailman.170.1201506028.5144.kerberos@mit.edu...
>>> Hi,
>>>
>>>
>>> Using Mit Kerberos how can I support SSO?
>
>>You can obtain your tickets during the windows logon process from your
>>domain controller and then access them from KFW aware applications by
>>setting the default ccache to MSLSA: or by permitting Network Identity
>>Manager to synchronize the MSLSA: cache contents with an API: cache.
>>>
>
>
>
>>> Is it possible to update Microsoft cache? How can I make other
>>> kerberised
>>> application to use cache file which is generated by my application.
>
>>On Vista the MSLSA: cache is read-write provided you do not use the
>>binaries provided by MIT.
>>KFW 3.2.2 was built incorrectly and the MIT distribution treats the
>>Vista MSLSA: cache as read-only.
>
> I want to update/add my credentials to Microsoft (windows XP & VISTA
> &win2k prof) cache. So Other then Vista I can't Update credentials to
> "MSLSA:"
>
> How we can support SSO with Kerberos TGT. how all other products is
> able to do this.
>
> They are maintaining their own clients for supporting SSO?
>
>
> Here my problem is all client should use my cache data which is
> generated by my application those should not use Microsoft login
> cache (MSLAS :).
> Or else
> If it is possible I should able to update MSLSA: cache.
>
> Is there any other way to support SSO?
>
>
>>> I mean when I got credentials (TGT) from KDC, I will store to cache
>>> file.
>>> I will set it as default cache.
>>Ok. Then all KFW aware applications that do not specify a ccache will
>>use those credentials.
>
>
>
> ****************************************************************************
> ***********
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender
> by
> phone or email immediately and delete it!
>
>
>
>
>
> Message: 6
> Date: Fri, 25 Jan 2008 18:52:32 -0500
> From: Jeffrey Altman <jaltman@secure-endpoints.com>
> Subject: Re: support SSO in Windows with Keberos TGT
> To: eswars@huawei.com
> Cc: kerberos@mit.edu
> Message-ID: <479A7640.8090701@secure-endpoints.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Eswar S wrote:
>> Hi,
>>
>>
>> Using Mit Kerberos how can I support SSO?
> You can obtain your tickets during the windows logon process from your
> domain controller and then access them from KFW aware applications by
> setting the default ccache to MSLSA: or by permitting Network Identity
> Manager to synchronize the MSLSA: cache contents with an API: cache.
>>
>> Is it possible to update Microsoft cache? How can I make other kerberised
>> application to use cache file which is generated by my application.
> On Vista the MSLSA: cache is read-write provided you do not use the
> binaries provided by MIT.
> KFW 3.2.2 was built incorrectly and the MIT distribution treats the
> Vista MSLSA: cache as read-only.
>>
>> I mean when I got credentials (TGT) from KDC, I will store to cache file.
> I
>> will set it as default cache.
> Ok. Then all KFW aware applications that do not specify a ccache will
> use those credentials.
>>
>> My doubt is how all are supporting SSO using Kerberos tokens.
>>
>> How can I update Microsoft cache? Is it possible?
>>
>> Please help me in this regard. I will be waiting for your reply.
>>
>> Thanks and Regards,
>> Eswar S
>>
>>
> ****************************************************************************
>> ***********
>> This e-mail and attachments contain confidential information from HUAWEI,
>> which is intended only for the person or entity whose address is listed
>> above. Any use of the information contained herein in any way (including,
>> but not limited to, total or partial disclosure, reproduction, or
>> dissemination) by persons other than the intended recipient's) is
>> prohibited. If you receive this e-mail in error, please notify the sender
> by
>> phone or email immediately and delete it!
>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3355 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> http://mailman.mit.edu/pipermail/kerberos/attachments/20080125/c2c10e18/smim
> e-0001.bin
>
> ------------------------------
>
> Message: 7
> Date: Fri, 25 Jan 2008 21:09:20 -0500
> From: "Matt Smith" <matt.smith@uconn.edu>
> Subject: Re: [lib]kadm on Windows?
> To: "Russ Allbery" <rra@stanford.edu>
> Cc: kerberos@mit.edu
> Message-ID:
> <44a3206d0801251809p2271942fkdca5b5eeb3d748c2@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Jan 25, 2008 6:28 PM, Russ Allbery <rra@stanford.edu> wrote:
>>
>> That's the bit that I was referring to where I hadn't had a chance to
>> include the patch yet. I'm hoping to get it into the next release,
>> although I don't yet have a plan for when that will be.
>>
>
> I'll probably start digging into this in about a month. If it will help
> any, I'll report back anything I find. Is there a preferred forum for
> remctl discussion?
>
> Thank you,
> -Matt
> --
> matt@forsetti.com
> Key ID:D6EEC5B5
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 61, Issue 35
> ****************************************
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
