Kerberos on Windows

Chris Lowe chris.lowe at dvallcoll.vic.edu.au
Fri Mar 7 06:56:03 EST 2008


Hi there,

I'm having major problems with Kerberos on Windows. I should mention  
that I'm a complete n00b when it comes to these things, and I'm  
really trying to spread my wings.

I'm an I.T. tech at a high school in Australia. We use Windows 2003  
(R2, SP2) domain controllers and XP workstations in a domain  
environment. There are also some Mac OS X 10.3/4/5 machines; also in  
play here are a few Linux servers - I've successfully set up our  
intranet site (PHP on Apache) to use Kerberos authentication, bound  
both linux servers to AD, and we're now working on squid authing via  
kerberos as well. The ultimate goal here is single-sign-on, with  
fallback to prompting the user to sign in if they don't have a ticket.

Staff laptops aren't joined to the domain.

On staff mac laptops, by just adding kinit user at DOMAIN to their  
"connect to network" script, users are able to connect to CIFS shares  
and printers on the AD2k3 servers with no problems, and Safari passes  
kerberos auth details to the intranet servers. This is a beautiful,  
incredibly simple solution, especially when compared to some of the  
previous AppleScript "solutions".

On non-domain Windows XP laptops, that couldn't be further from the  
truth. Using MIT KfW's Network Identity Manager (or kinit), I'm able  
to request a ticket for the domain - no problems there. I can even do  
this for other users; I can even do this from workstations on other  
2k3 domains. However, from what I read, these tickets are only  
available to programs which use the KfW API and aren't accessible by  
any other programs - for example, Internet Explorer, or Windows' CIFS/ 
SMB client.

Ideally, what I want to do on the non-domain Windows laptops is  
something along the lines of calling kinit from a "Connect to  
Network" script, which would then allow network drives to be mapped  
and any other kerberos resource in the domain to be used without the  
staff member being prompted for a password, as described for our Mac  
clients. At the moment it looks like it isn't actually possible to do  
this in Windows XP.

PLEASE help! :-)

---
Chris Lowe


More information about the Kerberos mailing list