Heimdal KDC, Windows XP and local users

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jan 9 11:19:18 EST 2008


Christopher D. Clausen wrote:
> Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> wrote:
>> I have configured Windows XP to use a Heimdal KDC for user
>> authentication. All existing Windows users can authenticate against
>> the KDC, user
>> mapping is "ksetup /mapuser * *".
>>
>> However, Windows does not create a new local user with the same name
>> as the Kerberos princical I try to authenticate as.
>
> No, Windows does not, nor should it.  You mapped all principals to a 
> single user account.  If you want seperate accounts, you'll need to 
> actually create the accounts ahead of time and map the principal to the 
> individual accounts.
"ksetup /mapuser *  *" does not map all users to a single account.  It 
maps Kerberos principals to local accounts (if they exist) whose 
username matches the first component of the principal. 

However, Windows will not create accounts on the fly.  A GINA could 
definitely do that for XP (but not Vista).  I don't know if a Network 
Provider could do it.  I'm thinking not because by the time the Network 
Provider has been called I believe the SID of the user must be determined.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080109/ab2f3a13/attachment.bin


More information about the Kerberos mailing list