Win logon to a MIT Kerberos V KDC?

Luke Howard lukeh at PADL.COM
Wed Sep 25 21:00:08 EDT 2002

>I've fine combed the 'Net for anything that can do this,
>but can't find anything.
>Haven't anyone written a MSGINA replacement that allow
>authentication against a MIT Kerberos KDC?

If you are using Windows 2000, you can use ksetup to configure
authentication against a non-Windows KDC, with the proviso that 
users must have existing local or Active Directory accounts.

In any case, a GINA is not the correct place to hook in support for
additional authentication providers; it only deals with interactive,
not network, authentication. Existing GINAs that create temporary
local accounts for users at logon are a kludge at best.

The correct abstraction is to write a Kerberos LSA provider, which is
what Microsoft did with Windows 2000. A local or Active Directory
account is required so that a token with the correct authorization
information may be constructed at logon.

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list