Win logon to a MIT Kerberos V KDC?

Luke Howard lukeh at PADL.COM
Fri Sep 27 09:48:42 EDT 2002

>    Luke> Adding support to a KDC for the PAC is not that difficult if
>    Luke> you have a sensible architecture (for example, an integrated
>    Luke> directory backend for the KDC). The difficulty lies in some
>    Luke> of the other, unpublished, protocols which are necessary to
>    Luke> domain logon.
>Isn't M$ publishing all the addition/changes to the LDAP/Kerberos

Not all of them, and there are other protocols other than Kerberos
that are necessary. Microsoft might license them to you, though:

You will need to execute a non-disclosure agreement before they will
disclose the licensing terms.

>And 'integrated directory backend'. Couldn't that be a OpenLDAP2
>server tied with Kerberos (the way openldap2+heimdal combo does it)?

What, the one we wrote? :-) In principle, yes, but there a number of
other issues such as name canonicalization, that require changes to
the KDC frontend and Kerberos libraries as well as the backend.

The following article, although partly inaccurate, has a good summary
of what would be required:

More information on our implementation is at:

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list