Win logon to a MIT Kerberos V KDC?

Luke Howard lukeh at PADL.COM
Fri Sep 27 09:48:42 EDT 2002


>    Luke> Adding support to a KDC for the PAC is not that difficult if
>    Luke> you have a sensible architecture (for example, an integrated
>    Luke> directory backend for the KDC). The difficulty lies in some
>    Luke> of the other, unpublished, protocols which are necessary to
>    Luke> domain logon.
>
>Isn't M$ publishing all the addition/changes to the LDAP/Kerberos
>protocol?

Not all of them, and there are other protocols other than Kerberos
that are necessary. Microsoft might license them to you, though:

	http://www.microsoft.com/legal/protocols/

You will need to execute a non-disclosure agreement before they will
disclose the licensing terms.

>And 'integrated directory backend'. Couldn't that be a OpenLDAP2
>server tied with Kerberos (the way openldap2+heimdal combo does it)?

What, the one we wrote? :-) In principle, yes, but there a number of
other issues such as name canonicalization, that require changes to
the KDC frontend and Kerberos libraries as well as the backend.

The following article, although partly inaccurate, has a good summary
of what would be required:

	http://www.usenix.org/publications/login/1998-5/brundrett.html

More information on our implementation is at:

	http://www.padl.com/Research/XAD.html

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com



More information about the Kerberos mailing list