MIT kdc with Windows 7 pc

[Wilper, Ross A]

I've never personally attached a Windows box directly to an MIT realm, only read the instructions.

If you have created the principal for the Windows machine and set the password in the Windows machine, then mapped the user's principal to a local account, then you are past what I have done for a Windows machine in a workgroup.

You do not have to turn on the DES encryption types in Windows 7 as long as at least one of the stronger enctypes is available on the principals. It looks like you set up the host with RC4, so I would not enable DES.

-Ross

-----Original Message-----
From: Jean-Yves Avenard [mailto:jyavenard at gmail.com] 
Sent: Tuesday, September 21, 2010 12:54 PM
To: Wilper, Ross A
Cc: kerberos at mit.edu
Subject: Re: MIT kdc with Windows 7 pc

Hi

On 22 September 2010 05:39, Wilper, Ross A <rwilper at stanford.edu> wrote:
> You must have the external (MIT) principal mapped to a Windows user for logon to succeed.

Pretty sure I did that:
I ran the command
ksetup /mapuser username at M.DOMAIN.COM username


>
> This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
>
> Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
>

The principal was created using:
ank -pw password -e rc4-hmac:normal host/minimepc.m.domain.com

For all account it seemed to work properly, by that I mean I see no
authentication error in the kdc logs.

Do the DES encryption types need to be enabled even for Windows 7 ?

I did see:

Sep 22 05:43:06 m.domain.com krb5kdc[68](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.X.X: NEEDED_PREAUTH:
jeanyves_avenard at M.DOMAIN.COM for krbtgt/M.DOMAIN.COM at M.DOMAIN.COM,
Additional pre-authentication required

followed by proper authentication after, no password errors.