Active Directory Kerberos Server and Windows MIT Tools Client
Schreiter,Jonathan M.
SCHREIJM at airproducts.com
Fri May 8 16:37:51 EDT 2009
Hello,
I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA.
I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen.
Also, MYDOMAIN.COM = MYREALM.COM
After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password.
I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here).
I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials.
I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again.
Any help would be GREATLY appreciated.
Many thanks,
Jonathan
More information about the Kerberos
mailing list