howto obtain TGT on login to windows machine without AD

Ben Creech bpcreech at
Thu Aug 28 11:09:32 EDT 2003

On standalone XP machines, you can set up your realm information and map 
Kerberos principals to local accounts using ksetup.exe, which comes on the 
Windows CD in Support\Tools.  For details, look here:

Once that is done, you can log in as user at MIT.BASED.REALM.GMX.DE.  If that 
succeeds, you will have a Kerberos TGT for the MIT-based realm, but in 
Microsoft's ticket cache.  At that point, you run ms2mit.exe to copy the 
TGT to the MIT ticket cache, then run aklog.  So, you'll need a login 
script that looks like:
aklog cell1
aklog cell2

I am not sure if that works for XP machines in NT4 domains.  Either way, in 
my experience, standalone Win2k machines will not do principal->account 

Another route is to write a network provider Dll (perhaps a modified 
AFSLogon.dll) to capture the user's password and do "something" with it. 
That "something" is complicated by the fact that the network provider Dll 
runs as LocalSystem in the same Window Station as the Gina (login screen), 
so authenticating right then and there will get you tickets and tokens in 
the wrong place.

If all you want is AFS tokens, the Network Provider can get a TGT and aklog 
right then and there, using a special parameter in the AFS token interface 
send the tokens to the write account.  This would amount to modifying a 
function or two within AFSLogin.dll - you would need to change the kaserver 
init to a Kerberos 5 init, paste the krb524 code from aklog, and fill in 
the smbname field in the ktc_principal structure when calling ktc_SetToken 
so that the token ends up associated with the correct user.

If you want full MIT TGT's you'd need to do something weird to get either 
the user's password or marshalled TGT's into the user's session.  This 
would be hard.

Ben Creech

More information about the Kerberos mailing list