KfW and NiM getting mutliple TGT's

Jeffrey Altman jaltman at secure-endpoints.com
Mon May 4 10:05:48 EDT 2009

David Bear wrote:
> On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman
> <jaltman at secure-endpoints.com <mailto:jaltman at secure-endpoints.com>>
> wrote:
>     David Bear wrote:
>     > Normally, when we install KfW (currently using 3.2.2) on
>     windows, we include
>     > a krb5.ini file that is mostly the same as the krb5.conf we use
>     on linux.
>     > Our krb5.ini only has asu.edu <http://asu.edu> realm information
>     in it. We also have an AD
>     > domain to which our windows clients are joined. When a user does
>     a domain
>     > logon, they normally get 2 credentials automatically, one for
>     the AD domain,
>     > and one for our ASU.EDU <http://ASU.EDU> realm. This is the
>     behavior we like.
>     >
>     > However, today, using the same configuration file, NiM is only
>     reporting
>     > credentials for the AD domain -- it is not automatically getting
>     credentials
>     > from the ASU.EDU <http://ASU.EDU> realm. We have selected
>     (obtain new creds at startup) and
>     > (destroy all creds on exit) but this makes no difference. For
>     some reason,
>     > KfW is not getting all the creds we are used to at startup. Any
>     advice on
>     > how to get the behavior back that we want?
>     >
>     NIM does not obtain the credentials.  The KFW network provider
>     (kfwlogon.dll) does this if and only if:
>       1. the password for the AD and MIT realms are the same
>       2. kfwlogon.dll is installed
>       3. the default realm in the krb5.ini file is the MIT realm
>     The NIM obtain new creds at startup does not affect the kfwlogon.dll.
>     What it does is prompt the user for credentials if there are none
>     available at startup.
> We have set the asu.edu <http://asu.edu> realm to be the default realm
> in the krb5.ini file. The passwords between  AD domains and MIT Krb
> realms are identical. Still, KfW doesn't auto-get asu.edu
> <http://asu.edu> realm credentials. We can obtain credentials using
> NiM AFTER standard windows logon. But it is just not getting them
> automatically. Is there some other configuration option we have missed
> or munged?
You should verify that the Network Provider kfwlogon.dll is installed
and assuming that is true then you can turn on Windows Application Event

  HKLM\System\\CurrentControlSet\\Services\\MIT Kerberos\\NetworkProvider
    "Debug"  DWORD  0x01

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090504/0123db82/attachment.bin

More information about the Kerberos mailing list