KfW and NiM getting mutliple TGT's
Jeffrey Altman
jaltman at secure-endpoints.com
Thu Apr 30 19:41:42 EDT 2009
David Bear wrote:
> Normally, when we install KfW (currently using 3.2.2) on windows, we include
> a krb5.ini file that is mostly the same as the krb5.conf we use on linux.
> Our krb5.ini only has asu.edu realm information in it. We also have an AD
> domain to which our windows clients are joined. When a user does a domain
> logon, they normally get 2 credentials automatically, one for the AD domain,
> and one for our ASU.EDU realm. This is the behavior we like.
>
> However, today, using the same configuration file, NiM is only reporting
> credentials for the AD domain -- it is not automatically getting credentials
> from the ASU.EDU realm. We have selected (obtain new creds at startup) and
> (destroy all creds on exit) but this makes no difference. For some reason,
> KfW is not getting all the creds we are used to at startup. Any advice on
> how to get the behavior back that we want?
>
NIM does not obtain the credentials. The KFW network provider
(kfwlogon.dll) does this if and only if:
1. the password for the AD and MIT realms are the same
2. kfwlogon.dll is installed
3. the default realm in the krb5.ini file is the MIT realm
The NIM obtain new creds at startup does not affect the kfwlogon.dll.
What it does is prompt the user for credentials if there are none
available at startup.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090430/a1378798/attachment.bin
More information about the Kerberos
mailing list