support SSO in Windows with Keberos TGT

Sylvain - MVP GPOs sylvaincortes at nospam_hotmail.com
Wed Feb 13 18:12:27 EST 2008


Hi,

perharps you can have a look on www.centrify.com which provide a interop SSO 
between Windows/Unix/linux based on Kerberos...

sylvain


-- 
Sylvain Cortes
MVP GPOs - http://www.gpomasters.com

PROCHAINE REUNION DE LA COMMUNAUTEE ACTIVE DIRECTORY LE 29 JANVIER - 
INSCRIPTION SUR WWW.CADIM.ORG

Rejoignez la communauté Active Directory et Identity Management !!!
http://www.cadim.org



"Eswar S" <eswars at huawei.com> a écrit dans le message de 
news:mailman.170.1201506028.5144.kerberos at mit.edu...
>>> Hi,
>>>
>>>
>>> Using Mit Kerberos how can I support SSO?
>
>>You can obtain your tickets during the windows logon process from your
>>domain controller and then access them from KFW aware applications by
>>setting the default ccache to MSLSA: or by permitting Network Identity
>>Manager to synchronize the MSLSA: cache contents with an API: cache.
>>>
>
>
>
>>> Is it possible to update Microsoft cache? How can I make other 
>>> kerberised
>>> application to use cache file which is generated by my application.
>
>>On Vista the MSLSA: cache is read-write provided you do not use the
>>binaries provided by MIT.
>>KFW 3.2.2 was built incorrectly and the MIT distribution treats the
>>Vista MSLSA: cache as read-only.
>
> I want to update/add my credentials to Microsoft (windows XP & VISTA
> &win2k prof) cache. So Other then Vista I can't Update credentials to
> "MSLSA:"
>
> How we can support SSO with Kerberos TGT. how all other products is
> able to do this.
>
> They are maintaining their own clients for supporting SSO?
>
>
> Here my problem is all client should use my cache data which is
> generated by my application those should not use Microsoft login
> cache (MSLAS :).
> Or else
> If it is possible I should able to update MSLSA: cache.
>
> Is there any other way to support SSO?
>
>
>>> I mean when I got credentials (TGT) from KDC, I will store to cache 
>>> file.
>>> I will set it as default cache.
>>Ok.  Then all KFW aware applications that do not specify a ccache will
>>use those credentials.
>
>
>
> ****************************************************************************
> ***********
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender 
> by
> phone or email immediately and delete it!
>
>
>
>
>
> Message: 6
> Date: Fri, 25 Jan 2008 18:52:32 -0500
> From: Jeffrey Altman <jaltman at secure-endpoints.com>
> Subject: Re: support SSO in Windows with Keberos TGT
> To: eswars at huawei.com
> Cc: kerberos at mit.edu
> Message-ID: <479A7640.8090701 at secure-endpoints.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Eswar S wrote:
>> Hi,
>>
>>
>> Using Mit Kerberos how can I support SSO?
> You can obtain your tickets during the windows logon process from your
> domain controller and then access them from KFW aware applications by
> setting the default ccache to MSLSA: or by permitting Network Identity
> Manager to synchronize the MSLSA: cache contents with an API: cache.
>>
>> Is it possible to update Microsoft cache? How can I make other kerberised
>> application to use cache file which is generated by my application.
> On Vista the MSLSA: cache is read-write provided you do not use the
> binaries provided by MIT.
> KFW 3.2.2 was built incorrectly and the MIT distribution treats the
> Vista MSLSA: cache as read-only.
>>
>> I mean when I got credentials (TGT) from KDC, I will store to cache file.
> I
>> will set it as default cache.
> Ok.  Then all KFW aware applications that do not specify a ccache will
> use those credentials.
>>
>>  My doubt is how all are supporting SSO using Kerberos tokens.
>>
>>  How can I update Microsoft cache? Is it possible?
>>
>> Please help me in this regard. I will be waiting for your reply.
>>
>> Thanks and Regards,
>> Eswar S
>>
>>
> ****************************************************************************
>> ***********
>> This e-mail and attachments contain confidential information from HUAWEI,
>> which is intended only for the person or entity whose address is listed
>> above. Any use of the information contained herein in any way (including,
>> but not limited to, total or partial disclosure, reproduction, or
>> dissemination) by persons other than the intended recipient's) is
>> prohibited. If you receive this e-mail in error, please notify the sender
> by
>> phone or email immediately and delete it!
>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3355 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> http://mailman.mit.edu/pipermail/kerberos/attachments/20080125/c2c10e18/smim
> e-0001.bin
>
> ------------------------------
>
> Message: 7
> Date: Fri, 25 Jan 2008 21:09:20 -0500
> From: "Matt Smith" <matt.smith at uconn.edu>
> Subject: Re: [lib]kadm on Windows?
> To: "Russ Allbery" <rra at stanford.edu>
> Cc: kerberos at mit.edu
> Message-ID:
> <44a3206d0801251809p2271942fkdca5b5eeb3d748c2 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Jan 25, 2008 6:28 PM, Russ Allbery <rra at stanford.edu> wrote:
>>
>> That's the bit that I was referring to where I hadn't had a chance to
>> include the patch yet.  I'm hoping to get it into the next release,
>> although I don't yet have a plan for when that will be.
>>
>
> I'll probably start digging into this in about a month.   If it will help
> any, I'll report back anything I find.  Is there a preferred forum for
> remctl discussion?
>
> Thank you,
> -Matt
> -- 
> matt at forsetti.com
> Key ID:D6EEC5B5
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 61, Issue 35
> ****************************************
>
> 




More information about the Kerberos mailing list