[31095] in Kerberos
Re: Active Directory Kerberos Server and Windows MIT Tools Client
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon May 11 10:25:04 2009
Message-ID: <4A083525.90000@anl.gov>
Date: Mon, 11 May 2009 09:24:37 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Schreiter,Jonathan M." <SCHREIJM@airproducts.com>
In-Reply-To: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
In addition to what Jeff proposed, you can use the runas command with other
commands. cmd.exe is one, as it then gives you a command window to start
other commands, including explorer or iexplorer, so you only have to
enter the user/password once.
The runas.exe /netonly can also be used on machines not joined to the domain,
to get credentials from the domain, usable on the network.
Also see:
http://support.microsoft.com/kb/225035
"Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context"
And to get explorer to run also see:
http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
"How do you set the “separate process” flag, then?"
"How do I tell my admin windows from my normal windows?"
Schreiter,Jonathan M. wrote:
> Hello,
> I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA.
>
> I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen.
>
> Also, MYDOMAIN.COM = MYREALM.COM
>
> After logging in locally, I tried to do a simple kinit myuser@MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password.
>
> I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here).
>
> I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser@MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials.
>
> I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again.
>
> Any help would be GREATLY appreciated.
>
> Many thanks,
> Jonathan
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
