MIT kdc with Windows 7 pc

Christopher D. Clausen cclausen at acm.org
Tue Sep 21 15:24:09 EDT 2010


Jean-Yves Avenard <jyavenard at gmail.com> wrote:
> Am I to understand that it is not currently possible to authenticate
> on a windows machine using a MIT kerberos KDC ? It would be a good
> windows domain replacement

I sort-of have this working, although this is probably different than your 
setup.

UIUC.EDU is an MIT Kerberos realm.  Our Windows domain, AD.UIUC.EDU has a 
trust with UIUC.EDU and we have the proper altSecurityIdentifier field 
configured on the user accounts within Active Directory.

I had to allow single DES for the Windows 7 computer as Windows trusts from 
AD to non-Windows KDCs were single DES only at the time our trust was setup:
The Configure encryption types allowed for Kerberos policy setting is 
located in Computer Configuration\Security Settings\Local Policies\Security 
Options.  (I think this is in secpol.msc.)

Once single DES was enabled, I ran the appropriate ksetup /addkdc commands 
and I can now login using my cclausen at UIUC.EDU Kerberos principal on a 
computer joined to AD.UIUC.EDU.

-----

If you are attempting this on a stand-alone computer not also joined to a 
Windows domain, I believe that Windows 7 REQUIRES having computer password 
set to the same service principal password on the KDC side for the computer 
to be able to authenticate the KDC itself.  Windows XP did not have this 
requirement.

<<CDC




More information about the Kerberos mailing list