MIT kdc with Windows 7 pc

Jean-Yves Avenard jyavenard at gmail.com
Tue Sep 21 15:53:46 EDT 2010


Hi

On 22 September 2010 05:39, Wilper, Ross A <rwilper at stanford.edu> wrote:
> You must have the external (MIT) principal mapped to a Windows user for logon to succeed.

Pretty sure I did that:
I ran the command
ksetup /mapuser username at M.DOMAIN.COM username


>
> This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
>
> Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
>

The principal was created using:
ank -pw password -e rc4-hmac:normal host/minimepc.m.domain.com

For all account it seemed to work properly, by that I mean I see no
authentication error in the kdc logs.

Do the DES encryption types need to be enabled even for Windows 7 ?

I did see:

Sep 22 05:43:06 m.domain.com krb5kdc[68](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.X.X: NEEDED_PREAUTH:
jeanyves_avenard at M.DOMAIN.COM for krbtgt/M.DOMAIN.COM at M.DOMAIN.COM,
Additional pre-authentication required

followed by proper authentication after, no password errors.



More information about the Kerberos mailing list