support SSO in Windows with Keberos TGT

Eswar S eswars at huawei.com
Mon Jan 28 02:39:16 EST 2008 

>> Hi,
>>
>>
>> Using Mit Kerberos how can I support SSO?

>You can obtain your tickets during the windows logon process from your 
>domain controller and then access them from KFW aware applications by 
>setting the default ccache to MSLSA: or by permitting Network Identity 
>Manager to synchronize the MSLSA: cache contents with an API: cache.
>>



>> Is it possible to update Microsoft cache? How can I make other kerberised
>> application to use cache file which is generated by my application.

>On Vista the MSLSA: cache is read-write provided you do not use the 
>binaries provided by MIT.
>KFW 3.2.2 was built incorrectly and the MIT distribution treats the 
>Vista MSLSA: cache as read-only.

	I want to update/add my credentials to Microsoft (windows XP & VISTA
&win2k prof) cache. So Other then Vista I can't Update credentials to
"MSLSA:"

	How we can support SSO with Kerberos TGT. how all other products is
able to do this.

	They are maintaining their own clients for supporting SSO?


	Here my problem is all client should use my cache data which is
generated by my application those should not use Microsoft login
cache (MSLAS :).
	Or else
	If it is possible I should able to update MSLSA: cache. 

	Is there any other way to support SSO?


>> I mean when I got credentials (TGT) from KDC, I will store to cache file.
>> I will set it as default cache.
>Ok.  Then all KFW aware applications that do not specify a ccache will 
>use those credentials.



****************************************************************************
***********
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!

 



Message: 6
Date: Fri, 25 Jan 2008 18:52:32 -0500
From: Jeffrey Altman <jaltman at secure-endpoints.com>
Subject: Re: support SSO in Windows with Keberos TGT
To: eswars at huawei.com
Cc: kerberos at mit.edu
Message-ID: <479A7640.8090701 at secure-endpoints.com>
Content-Type: text/plain; charset="iso-8859-1"

Eswar S wrote:
> Hi,
>
>
> Using Mit Kerberos how can I support SSO?
You can obtain your tickets during the windows logon process from your 
domain controller and then access them from KFW aware applications by 
setting the default ccache to MSLSA: or by permitting Network Identity 
Manager to synchronize the MSLSA: cache contents with an API: cache.
>
> Is it possible to update Microsoft cache? How can I make other kerberised
> application to use cache file which is generated by my application.
On Vista the MSLSA: cache is read-write provided you do not use the 
binaries provided by MIT.
KFW 3.2.2 was built incorrectly and the MIT distribution treats the 
Vista MSLSA: cache as read-only.
>
> I mean when I got credentials (TGT) from KDC, I will store to cache file.
I
> will set it as default cache.
Ok.  Then all KFW aware applications that do not specify a ccache will 
use those credentials.
>
>  My doubt is how all are supporting SSO using Kerberos tokens.
>
>  How can I update Microsoft cache? Is it possible? 
>
> Please help me in this regard. I will be waiting for your reply.
>
> Thanks and Regards,
> Eswar S
>
>
****************************************************************************
> ***********
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender
by
> phone or email immediately and delete it!
>
>  
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://mailman.mit.edu/pipermail/kerberos/attachments/20080125/c2c10e18/smim
e-0001.bin

------------------------------

Message: 7
Date: Fri, 25 Jan 2008 21:09:20 -0500
From: "Matt Smith" <matt.smith at uconn.edu>
Subject: Re: [lib]kadm on Windows?
To: "Russ Allbery" <rra at stanford.edu>
Cc: kerberos at mit.edu
Message-ID:
	<44a3206d0801251809p2271942fkdca5b5eeb3d748c2 at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On Jan 25, 2008 6:28 PM, Russ Allbery <rra at stanford.edu> wrote:
>
> That's the bit that I was referring to where I hadn't had a chance to
> include the patch yet.  I'm hoping to get it into the next release,
> although I don't yet have a plan for when that will be.
>

I'll probably start digging into this in about a month.   If it will help
any, I'll report back anything I find.  Is there a preferred forum for
remctl discussion?

Thank you,
-Matt
-- 
matt at forsetti.com
Key ID:D6EEC5B5


------------------------------

_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


End of Kerberos Digest, Vol 61, Issue 35
****************************************

More information about the Kerberos mailing list