support SSO in Windows with Keberos TGT

Jeffrey Altman jaltman at secure-endpoints.com
Mon Jan 28 09:17:49 EST 2008


Eswar S wrote:
> On Vista the MSLSA: cache is read-write provided you do not use the
>> binaries provided by MIT.
>> KFW 3.2.2 was built incorrectly and the MIT distribution treats the 
>> Vista MSLSA: cache as read-only.
>
> 	I want to update/add my credentials to Microsoft (windows XP & VISTA
> &win2k prof) cache. So Other then Vista I can't Update credentials to
> "MSLSA:"
You can't write to the XP MSLSA: cache as it is read-only.  If all of 
your tickets were
obtainable using the Microsoft Kerberos SSP then the tickets will 
already be in the
cache and there will be nothing that needs to be written.
>
> 	How we can support SSO with Kerberos TGT. how all other products is
> able to do this.
What do you mean by other products?
>
> 	They are maintaining their own clients for supporting SSO?
What do you mean by "maintaining their own clients?"
>
> 	Here my problem is all client should use my cache data which is
> generated by my application those should not use Microsoft login
> cache (MSLAS :).
> 	Or else
> 	If it is possible I should able to update MSLSA: cache. 
>
> 	Is there any other way to support SSO?
SSO does not imply single cache.  SSO means that the user only has to
enter their logon credentials once.  KFW has it is deployed supports
SSO by cloning the MSLSA cache for applications that use its APIs.

KFW supports the simultaneous use of multiple identities (aka
Kerberos principals) and therefore supports the use of multiple
simultaneous credential caches (one per principal.)

Why don't you explain your application and how it is "special"
so that we can get a better idea of what you are really attempting
to accomplish.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080128/05d27824/attachment.bin


More information about the Kerberos mailing list