KfW and NiM getting mutliple TGT's
jaltman at secure-endpoints.com
Mon May 4 10:05:48 EDT 2009
David Bear wrote:
> On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman
> <jaltman at secure-endpoints.com <mailto:jaltman at secure-endpoints.com>>
> David Bear wrote:
> > Normally, when we install KfW (currently using 3.2.2) on
> windows, we include
> > a krb5.ini file that is mostly the same as the krb5.conf we use
> on linux.
> > Our krb5.ini only has asu.edu <http://asu.edu> realm information
> in it. We also have an AD
> > domain to which our windows clients are joined. When a user does
> a domain
> > logon, they normally get 2 credentials automatically, one for
> the AD domain,
> > and one for our ASU.EDU <http://ASU.EDU> realm. This is the
> behavior we like.
> > However, today, using the same configuration file, NiM is only
> > credentials for the AD domain -- it is not automatically getting
> > from the ASU.EDU <http://ASU.EDU> realm. We have selected
> (obtain new creds at startup) and
> > (destroy all creds on exit) but this makes no difference. For
> some reason,
> > KfW is not getting all the creds we are used to at startup. Any
> advice on
> > how to get the behavior back that we want?
> NIM does not obtain the credentials. The KFW network provider
> (kfwlogon.dll) does this if and only if:
> 1. the password for the AD and MIT realms are the same
> 2. kfwlogon.dll is installed
> 3. the default realm in the krb5.ini file is the MIT realm
> The NIM obtain new creds at startup does not affect the kfwlogon.dll.
> What it does is prompt the user for credentials if there are none
> available at startup.
> We have set the asu.edu <http://asu.edu> realm to be the default realm
> in the krb5.ini file. The passwords between AD domains and MIT Krb
> realms are identical. Still, KfW doesn't auto-get asu.edu
> <http://asu.edu> realm credentials. We can obtain credentials using
> NiM AFTER standard windows logon. But it is just not getting them
> automatically. Is there some other configuration option we have missed
> or munged?
You should verify that the Network Provider kfwlogon.dll is installed
and assuming that is true then you can turn on Windows Application Event
"Debug" DWORD 0x01
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090504/0123db82/attachment.bin
More information about the Kerberos