Authenticating Windows 2003 users to a central LDAP

Douglas E. Engert deengert at anl.gov
Fri Mar 23 11:14:33 EDT 2007



Ahmad Arshad wrote:
> Hi Preetam,
> 
> Then let me rephrase the question a little...
> 
> We have two KDC servers with realm nyu.edu. Lets call them kerb1.nyu.edu 
> and kerb2.nyu.edu
> 
> my active directory is systems.private
> 
> I want this active directory authentication to authenticate off of these 
> kerberos servers... Its easy to do in unix and linux, but its killing me 
> to set it up so this windows 2003 r2 AD can authenticate its users off 
> of those kerberos servers.

Sounds like what you want is Kerberos authentication to your NYU.EDU,
with cross realm trust to the AD which has the windows services, and user 
accounts. Thus a user account in the AD will be associated with a Kerberos 
principal in NYU.EDU, and when a service ticket for a windows service is
needed AD will add in the PAC information for the account.

See
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx

  Setting Trust With a Kerberos Realm

   Creating Account Mappings

    Account mappings are used to map a foreign Kerberos identity (in a
    trusted MIT Kerberos realm) to a local account identity in the domain.
    These account mappings are managed through the Active Directory
    Management tool.

    These account mappings will allow the Kerberos realm to act as an
    account domain. Users with Kerberos principals that have mappings to
    domain accounts, can logon to a workstation that is joined to a trusted
    domain using the Kerberos principal and password from the Kerberos realm.


> 
> Thanks
> 
> preetam R wrote:
>> Hi Ahmad,
>>
>>     FYI: The Domain Controller itself contains a LDAP
>> server.
>>
>> Thanks,
>> Preetam
>>
>> --- Ahmad Arshad <ahmad.arshad at nyu.edu> wrote:
>>
>>   
>>> Hi,
>>>
>>> I am not sure if this is the proper list for this...
>>> but any help would 
>>> be appreciated...
>>>
>>> We are running a Windows 2003 R2 server whose domain
>>> is used for user 
>>> and workstation authentication for a portion of the
>>> university 
>>> population. We wanted to tie this domain lets call
>>> it systems.private 
>>> into the university wide ldap server lets call is
>>> ldap.nyu.edu which 
>>> stores university wide usernames/passwords etc.
>>>
>>> This way users who are part of the domain (remember
>>> we only want users 
>>> who are part of the domain to have access) would be
>>> able to login to the 
>>> domain.. using their IDs and passwords provided by
>>> the university.
>>>
>>> I am not sure if this makes any sense...
>>>
>>> so to recap
>>>
>>> a) User tries to log into the domain with his id and
>>> password.
>>> b) The domain controller checks to see if the user
>>> id is in its database.
>>> c) if it is, it forwards the credential to the ldap
>>> server for 
>>> authentication.
>>> d) if the ldap authenticates, the user is allowed to
>>> login...
>>>
>>> Any help would be greatly appreciated..
>>>
>>> Sincerely,
>>>
>>> Ahmad S Arshad
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>     
>>
>>
>>  
>> ____________________________________________________________________________________
>> We won't tell. Get more on shows you hate to love 
>> (and love to hate): Yahoo! TV's Guilty Pleasures list.
>> http://tv.yahoo.com/collections/265 
>>   
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list