KfW and NiM getting mutliple TGT's

David Bear David.Bear at asu.edu
Fri May 1 12:22:51 EDT 2009


On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman <
jaltman at secure-endpoints.com> wrote:

> David Bear wrote:
> > Normally, when we install KfW (currently using 3.2.2) on windows, we
> include
> > a krb5.ini file that is mostly the same as the krb5.conf we use on linux.
> > Our krb5.ini only has asu.edu realm information in it. We also have an
> AD
> > domain to which our windows clients are joined. When a user does a domain
> > logon, they normally get 2 credentials automatically, one for the AD
> domain,
> > and one for our ASU.EDU realm. This is the behavior we like.
> >
> > However, today, using the same configuration file, NiM is only reporting
> > credentials for the AD domain -- it is not automatically getting
> credentials
> > from the ASU.EDU realm. We have selected (obtain new creds at startup)
> and
> > (destroy all creds on exit) but this makes no difference. For some
> reason,
> > KfW is not getting all the creds we are used to at startup. Any advice on
> > how to get the behavior back that we want?
> >
> NIM does not obtain the credentials.  The KFW network provider
> (kfwlogon.dll) does this if and only if:
>
>   1. the password for the AD and MIT realms are the same
>   2. kfwlogon.dll is installed
>   3. the default realm in the krb5.ini file is the MIT realm
>
> The NIM obtain new creds at startup does not affect the kfwlogon.dll.
> What it does is prompt the user for credentials if there are none
> available at startup.
>

We have set the asu.edu realm to be the default realm in the krb5.ini file.
The passwords between  AD domains and MIT Krb realms are identical. Still,
KfW doesn't auto-get asu.edu realm credentials. We can obtain credentials
using NiM AFTER standard windows logon. But it is just not getting them
automatically. Is there some other configuration option we have missed or
munged?


> Jeffrey Altman
>
>


-- 
David Bear
College of Public Programs at ASU
602-464-0424



More information about the Kerberos mailing list