Kerberos on Windows
Chris Lowe
chris.lowe at dvallcoll.vic.edu.au
Fri Mar 7 06:56:03 EST 2008
Hi there,
I'm having major problems with Kerberos on Windows. I should mention
that I'm a complete n00b when it comes to these things, and I'm
really trying to spread my wings.
I'm an I.T. tech at a high school in Australia. We use Windows 2003
(R2, SP2) domain controllers and XP workstations in a domain
environment. There are also some Mac OS X 10.3/4/5 machines; also in
play here are a few Linux servers - I've successfully set up our
intranet site (PHP on Apache) to use Kerberos authentication, bound
both linux servers to AD, and we're now working on squid authing via
kerberos as well. The ultimate goal here is single-sign-on, with
fallback to prompting the user to sign in if they don't have a ticket.
Staff laptops aren't joined to the domain.
On staff mac laptops, by just adding kinit user at DOMAIN to their
"connect to network" script, users are able to connect to CIFS shares
and printers on the AD2k3 servers with no problems, and Safari passes
kerberos auth details to the intranet servers. This is a beautiful,
incredibly simple solution, especially when compared to some of the
previous AppleScript "solutions".
On non-domain Windows XP laptops, that couldn't be further from the
truth. Using MIT KfW's Network Identity Manager (or kinit), I'm able
to request a ticket for the domain - no problems there. I can even do
this for other users; I can even do this from workstations on other
2k3 domains. However, from what I read, these tickets are only
available to programs which use the KfW API and aren't accessible by
any other programs - for example, Internet Explorer, or Windows' CIFS/
SMB client.
Ideally, what I want to do on the non-domain Windows laptops is
something along the lines of calling kinit from a "Connect to
Network" script, which would then allow network drives to be mapped
and any other kerberos resource in the domain to be used without the
staff member being prompted for a password, as described for our Mac
clients. At the moment it looks like it isn't actually possible to do
this in Windows XP.
PLEASE help! :-)
---
Chris Lowe
More information about the Kerberos
mailing list