[31087] in Kerberos
Active Directory Kerberos Server and Windows MIT Tools Client
daemon@ATHENA.MIT.EDU (Schreiter,Jonathan M.)
Fri May 8 16:38:26 2009
X-Barracuda-Envelope-From: SCHREIJM@airproducts.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Fri, 8 May 2009 16:37:51 -0400
Message-ID: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com>
From: "Schreiter,Jonathan M." <SCHREIJM@airproducts.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA.
I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen.
Also, MYDOMAIN.COM = MYREALM.COM
After logging in locally, I tried to do a simple kinit myuser@MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password.
I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here).
I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser@MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials.
I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again.
Any help would be GREATLY appreciated.
Many thanks,
Jonathan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
