Win2000 PAC-Credentials Implementation

JK Jaganathan karthikj at windows.microsoft.com
Thu Sep 4 14:47:55 EDT 2003


 

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Tobias Heide
> Sent: Tuesday, September 02, 2003 10:43 PM
> To: kerberos at MIT.EDU
> Subject: Win2000 PAC-Credentials Implementation
> 
> Hi there!
> 
> I wanted to have Windows 2000 Clients authenticate against a 
> MIT Kerberos
> 1.3.1 KDC. But during implementation I came across some questions:
> 
> 1. Is there an implementation for the Windows 2000 additional 
> authorization information, which they keep in their tickets? 
> There is an internet draft (which is expired), but is there 
> an implementation as well?
AFAIK there is no implementation released by Microsoft or others. The
PAC specification
can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/
html/MSDN_PAC.asp
 
> 
> 2. Does any one know, why MS messes up DNS with certain 
> _mscd, _tcp (etc.) Domains? What is the sense behind this?
> 
These are SRV records that support service location. The _msdcs is used 
for dc location. The _tcp, _udp for the KDC.

> 3. Is there a backend for LDAP in MIT Kerberos? Could as well 
> be beta, because this is only a case study until now.
> 
> 4. Did anyone get it to run? (both, LDAP and/or Win2000 Clients)
> 
You can get W2K clients to work against a MIT KDC even without having 
any PAC support on the MIT KDC. You will have to use ksetup to map 
the kerberos users to local accounts. See
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp

> Overall goal would be, to have some kind of active directory, 
> but based on Open Source Software.
> 
> Thanks in advance,
> tobi
> --
> System Administrator DAASI International GmbH 
> http://www.daasi.de ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

 This posting is provided "AS IS" with no warranties, and confers no
rights.




More information about the Kerberos mailing list