Win2000 PAC-Credentials Implementation
JK Jaganathan
karthikj at windows.microsoft.com
Thu Sep 4 14:47:55 EDT 2003
> -----Original Message-----
> From: kerberos-bounces at mit.edu
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Tobias Heide
> Sent: Tuesday, September 02, 2003 10:43 PM
> To: kerberos at MIT.EDU
> Subject: Win2000 PAC-Credentials Implementation
>
> Hi there!
>
> I wanted to have Windows 2000 Clients authenticate against a
> MIT Kerberos
> 1.3.1 KDC. But during implementation I came across some questions:
>
> 1. Is there an implementation for the Windows 2000 additional
> authorization information, which they keep in their tickets?
> There is an internet draft (which is expired), but is there
> an implementation as well?
AFAIK there is no implementation released by Microsoft or others. The
PAC specification
can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/
html/MSDN_PAC.asp
>
> 2. Does any one know, why MS messes up DNS with certain
> _mscd, _tcp (etc.) Domains? What is the sense behind this?
>
These are SRV records that support service location. The _msdcs is used
for dc location. The _tcp, _udp for the KDC.
> 3. Is there a backend for LDAP in MIT Kerberos? Could as well
> be beta, because this is only a case study until now.
>
> 4. Did anyone get it to run? (both, LDAP and/or Win2000 Clients)
>
You can get W2K clients to work against a MIT KDC even without having
any PAC support on the MIT KDC. You will have to use ksetup to map
the kerberos users to local accounts. See
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp
> Overall goal would be, to have some kind of active directory,
> but based on Open Source Software.
>
> Thanks in advance,
> tobi
> --
> System Administrator DAASI International GmbH
> http://www.daasi.de ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
This posting is provided "AS IS" with no warranties, and confers no
rights.
More information about the Kerberos
mailing list