Active Directory Kerberos Server and Windows MIT Tools Client

Schreiter,Jonathan M. SCHREIJM at airproducts.com
Mon May 11 10:33:03 EDT 2009 

Thanks Doug and Jeff.

I'm not sure the runas will work in the problem I'm trying to solve, but
maybe I'm wrong.  I have an application that when you click on a button
it will spawn an IE window, and there are multiple buttons that link to
different URLs (each URL corresponds to an IIS server with Kerberos
authentication).  During nominal operations, multiple IE windows will be
open on a same machine, and new windows will be closed and opened
multiple times per day.  I guess I could spawn a cmd window from the
button, but I'm not sure how to automatically spawn multiple
iexplore.exe from this cmd window from an external application.  

The second part of the problem, is that I'll have multiple computers
that fit this category - so I was hoping to use a keytab dump after
getting the tgt to copy files to the other computers for a SSO.

If anyone has any thoughts, I'd appreciate it.  I'm going to take a look
at some PKI options here in the meantime.

Many thanks,
Jonathan

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Monday, May 11, 2009 10:25 AM
To: Schreiter,Jonathan M.
Cc: kerberos at mit.edu
Subject: Re: Active Directory Kerberos Server and Windows MIT Tools
Client

In addition to what Jeff proposed, you can use the runas command with
other
commands. cmd.exe is one, as it then gives you a command window to start
other commands, including explorer or iexplorer, so you only have to
enter the user/password once.

The runas.exe /netonly can also be used on machines not joined to the
domain,
to get credentials from the domain, usable on the network.

Also see:
  http://support.microsoft.com/kb/225035
  "Secondary Logon (Run As): Starting Programs and Tools in Local
Administrative Context"

And to get explorer to run also see:
  http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
  "How do you set the "separate process" flag, then?"
  "How do I tell my admin windows from my normal windows?"





Schreiter,Jonathan M. wrote:
> Hello,
> I currently have an AD 2003 environment that serves as a Kerberos
server.  Normally, with a standard Windows XP / Vista client (that is
joined to the domain), when I login with a domain account I get a TGT
for the AD domain / realm.  This TGT is then used to get tickets for
various other services that require Kerberos.  When I run a klist from
the MIT tools installed on this client, I show my ticket cache: MSLSA.
>  
> I need to log in with a local account on this same computer (still
joined to the domain).  I'd like to be able via command line to enter in
my AD credentials to acquire a tgt just as if I was a login from the
original CTRL+ALT+DEL screen.
>  
> Also, MYDOMAIN.COM = MYREALM.COM
>  
> After logging in locally, I tried to do a simple kinit
myuser at MYDOMAIN.COM and it took the password.  However, if I use
Internet Explorer to go to an IIS server that requires kerberos
authentication, I am still prompted for my username and password.
>  
> I then drilled in to the GUI Network Identity Manager.  Under Kerberos
v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked.
Uner Realms I added a new realm MYDOMAIN.COM.  I added an AD DC for the
Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not
sure what's supposed to go here).
>  
> I then entered my kerberos authentication in to the GUI and it took my
password.  However, it still doesn't see the tgt in the MSLSA (if I try
to use a klist from the Windows NT Resource Kit).  If I run klist from
c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache
found (ticket cache API:myuser at MYDOMAIN.COM.  Also, If I try to run IE
to hit an IIS web server requiring Kerberos, it still prompts me for my
credentials.
>  
> I think I'm almost there - but can someone help me connect the pieces?
Again, I would like to log in to a windows xp / vista computer, enter a
username and password to obtain a tgt in the mslsa, so that IE can hit
an IIS server that requires kerberos w/o typing in the password again.
>  
> Any help would be GREATLY appreciated.
>  
> Many thanks,
> Jonathan
>  
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list