Active Directory Kerberos Server and Windows MIT Tools Client

Schreiter,Jonathan M. SCHREIJM at airproducts.com
Fri May 8 16:37:51 EDT 2009 

Hello,
I currently have an AD 2003 environment that serves as a Kerberos server.  Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm.  This TGT is then used to get tickets for various other services that require Kerberos.  When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA.
 
I need to log in with a local account on this same computer (still joined to the domain).  I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen.
 
Also, MYDOMAIN.COM = MYREALM.COM
 
After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password.  However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password.
 
I then drilled in to the GUI Network Identity Manager.  Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked.  Uner Realms I added a new realm MYDOMAIN.COM.  I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here).
 
I then entered my kerberos authentication in to the GUI and it took my password.  However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit).  If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM.  Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials.
 
I think I'm almost there - but can someone help me connect the pieces?  Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again.
 
Any help would be GREATLY appreciated.
 
Many thanks,
Jonathan

More information about the Kerberos mailing list