Kerberos on Windows
Chris Lowe
chris.lowe at dvallcoll.vic.edu.au
Fri Mar 7 11:30:25 EST 2008
After some long and painful research, I've discovered the mit2ms
command, which only works in Vista.
Does anything implement this functionality in XP?
-Chris
On 07/03/2008, at 10:56 PM, Chris Lowe wrote:
> Hi there,
>
> I'm having major problems with Kerberos on Windows. I should mention
> that I'm a complete n00b when it comes to these things, and I'm
> really trying to spread my wings.
>
> I'm an I.T. tech at a high school in Australia. We use Windows 2003
> (R2, SP2) domain controllers and XP workstations in a domain
> environment. There are also some Mac OS X 10.3/4/5 machines; also in
> play here are a few Linux servers - I've successfully set up our
> intranet site (PHP on Apache) to use Kerberos authentication, bound
> both linux servers to AD, and we're now working on squid authing via
> kerberos as well. The ultimate goal here is single-sign-on, with
> fallback to prompting the user to sign in if they don't have a ticket.
>
> Staff laptops aren't joined to the domain.
>
> On staff mac laptops, by just adding kinit user at DOMAIN to their
> "connect to network" script, users are able to connect to CIFS shares
> and printers on the AD2k3 servers with no problems, and Safari passes
> kerberos auth details to the intranet servers. This is a beautiful,
> incredibly simple solution, especially when compared to some of the
> previous AppleScript "solutions".
>
> On non-domain Windows XP laptops, that couldn't be further from the
> truth. Using MIT KfW's Network Identity Manager (or kinit), I'm able
> to request a ticket for the domain - no problems there. I can even do
> this for other users; I can even do this from workstations on other
> 2k3 domains. However, from what I read, these tickets are only
> available to programs which use the KfW API and aren't accessible by
> any other programs - for example, Internet Explorer, or Windows' CIFS/
> SMB client.
>
> Ideally, what I want to do on the non-domain Windows laptops is
> something along the lines of calling kinit from a "Connect to
> Network" script, which would then allow network drives to be mapped
> and any other kerberos resource in the domain to be used without the
> staff member being prompted for a password, as described for our Mac
> clients. At the moment it looks like it isn't actually possible to do
> this in Windows XP.
>
> PLEASE help! :-)
>
> ---
> Chris Lowe
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
---
Chris Lowe
I.T. Technician
Diamond Valley College, Victoria
T: (03) 9438 8232
W: www.dvallcoll.vic.edu.au
E: chris.lowe at dvallcoll.vic.edu.au
More information about the Kerberos
mailing list