XP Workstation logging into Windows 2000/2003 AD Domain using MIT Kerberos KDC

Douglas E. Engert deengert at anl.gov
Thu Jan 27 11:05:20 EST 2005 


Terry Jones wrote:

> I am pretty new to Kerberos so I may mess up the terminology. 


Start with
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

This covers all the scenarios of using Kerberos with Windows.

> 
> We have had a couple of people attempt what I am describing below and
> we have failed so far. I just wanted to consult the group with the
> basic "is this possible" question first, then expand on to broader
> questions like "who has done it" and "how is it done"
> 
> We have a student lab of Windows XP computers and we want the students
> to have to authenticate to use them. We have an MIT Kerberos KDC that
> "knows"  all the students but we do not want the MIT KDC to have to
> know each and every XP workstation. 

Kerberos uses a trusted third party KDC to authenticate the user to
the machine. As such the KDC shares a secret with each user, and
a secret with each machine. So some KDC in some realm will have to
have the machine principals registered.

When you say login to the XP workstation, are the workstations part
of a domain or standalone?  If standalone, see the section "Using an
MIT KDC with a Standalone Windows 2000 Workstation". This will
require the users and workstations to be registered with the KDC.

If the workstations are part of a domain, then they are registered
with the domain, and the users also need to be. Keep in mind that
Kerberos does only authentication, whereas AD uses Kerberos for
authentication, but it also does authorization, and users and
workstations need accounts.

> 
> We would like to set up a Windows Server 2003 (or 2000 if that makes a
> difference) AD Domain Controller that the students log into, but we
> ant that AD Domain controller to contact the MIT KDC for
> authentication purposes.

See section "Setting Trust with a Kerberos Realm" and
"Creating Account Mappings" This tells you how to have the user
use the MIT KDC for authentication, but to authenticate to a matching
AD account.


> 
> If we have to create explicit user accounts for each student in the
> Windows Active Directory Domain we will, but if we could map them all
> to a single account that would also be good. 

Not sure if this is possible, but it looks like the "Security Identity Mapping"
window will allow multiple mappings to the same account.

> 
> In other words, we are willing to let the MIT KDC talk to the Windows
> AD Domain Controller, not all the workstations. We want the XP
> workstations to contact the Windows Domain Controller and have the
> Windows Domain COntroller touch base with the MIT KDC to authenticate
> them.

Technically, the KDCs don't talk to each other. The user acquires tickets
from the KDCs that are presented to the server. In this case the workstation
working on behalf of the user would obtain a TGT ticket for the user from
the user's realm, (MIT KDC) then use this against the user's realm to
obtain a a cross realm TGT ticket to the AD realm of the workstation.
It would the use this cross realm TGT to get a ticket for the workstation
from the AD. At this point the AD would spot that the user principal was
to be mapped to an AD account, and it would add the PAC authorization data
to the service ticket. So when the service ticket was presented to the server
(i.e. the workstation during login) it would have all the authentication
and authorization data it needed to let the user login.

> 
> I have set up a Windows Server 2003 AD Domain controller, It is all
> working well from a DNS point of view. It is actually talking to the
> MIT KDC but so far all I have gotten is Windows error from the tickets
> returned when attempting a local login on the Windows Server and
> authenticating to the MIT KDC. I have not had ANY success logging into
> the Windows domain from an XP workstation... no traffic to the MIT KDC
> whatsoever...


Sounds like the account mapping is missing or the user needs to
specify the full principal name user at realm in the login prompt.

> 
> I welcome your general and detailed comments! Thanks. 
> 
> Terry Jones
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list