Win logon to a MIT Kerberos V KDC?
Luke Howard
lukeh at PADL.COM
Wed Sep 25 21:00:08 EDT 2002
>I've fine combed the 'Net for anything that can do this,
>but can't find anything.
>
>Haven't anyone written a MSGINA replacement that allow
>authentication against a MIT Kerberos KDC?
If you are using Windows 2000, you can use ksetup to configure
authentication against a non-Windows KDC, with the proviso that
users must have existing local or Active Directory accounts.
In any case, a GINA is not the correct place to hook in support for
additional authentication providers; it only deals with interactive,
not network, authentication. Existing GINAs that create temporary
local accounts for users at logon are a kludge at best.
The correct abstraction is to write a Kerberos LSA provider, which is
what Microsoft did with Windows 2000. A local or Active Directory
account is required so that a token with the correct authorization
information may be constructed at logon.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos
mailing list