MIT kdc with Windows 7 pc
Christopher D. Clausen
cclausen at acm.org
Tue Sep 21 15:24:09 EDT 2010
Jean-Yves Avenard <jyavenard at gmail.com> wrote:
> Am I to understand that it is not currently possible to authenticate
> on a windows machine using a MIT kerberos KDC ? It would be a good
> windows domain replacement
I sort-of have this working, although this is probably different than your
setup.
UIUC.EDU is an MIT Kerberos realm. Our Windows domain, AD.UIUC.EDU has a
trust with UIUC.EDU and we have the proper altSecurityIdentifier field
configured on the user accounts within Active Directory.
I had to allow single DES for the Windows 7 computer as Windows trusts from
AD to non-Windows KDCs were single DES only at the time our trust was setup:
The Configure encryption types allowed for Kerberos policy setting is
located in Computer Configuration\Security Settings\Local Policies\Security
Options. (I think this is in secpol.msc.)
Once single DES was enabled, I ran the appropriate ksetup /addkdc commands
and I can now login using my cclausen at UIUC.EDU Kerberos principal on a
computer joined to AD.UIUC.EDU.
-----
If you are attempting this on a stand-alone computer not also joined to a
Windows domain, I believe that Windows 7 REQUIRES having computer password
set to the same service principal password on the KDC side for the computer
to be able to authenticate the KDC itself. Windows XP did not have this
requirement.
<<CDC
More information about the Kerberos
mailing list