Windows Login against Linux KDC

Robert Wehn robert.wehn at rz.uni-augsburg.de
Fri May 4 05:14:40 EDT 2012


Hi Tiago,

start here:
http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
Section "Using an MIT KDC with a Standalone Windows 2000 Workstation"

Since Vista/Server 2008 Windows supports the following Eccryption Types:
AES256-CTS-HMAC-SHA1-96  (new since Vista/2008)
AES128-CTS-HMAC-SHA1-96  (new since Vista/2008)
RC4-HMAC                 (best available for Win XP / Server 2003)
DES-CBC-CRC              (insecure)
DES-CBC-MD5             (insecure)

So to use it with Windows you need AES256, AES 128 and RC4-HMAC (if you
want to be able to use older OS versions)

Every User has to be created locally on every Windows machine and mapped
to its kerberos account, but you can script that.

The tool you need is "ksetup.exe" and the "net user" command for the
Windows command line.

Robert.


Am 03.05.2012 16:52, schrieb Tiago Elvas:
> Hi all,
>
> I am struggling to configure my Windows machine running a Windows Server
> 2008.
>
> 1- I have established a domain with a KDC running on a Redhat 5.7 machine.
> I have correctly configured other Linux machine to retrieve tickets on
> login ('su' and 'ssh' through PAM)
> 2- In the Windows machine, I am able to manually retrieve tickets with the
> "Network Identity Manager".
>
> Now what I wanted to do is to restrict the login in the Windows machine to
> those users who are able to authenticate against the Linux KDC (apart from
> an Administrator account). So if user "tiago" is not defined in the KDC he
> cannot login to this (Windows) machine.
>
> Can anybody give some tips on how to do this?
>
> Many thanks in advance.
>
> Best regards,
> Tiago
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028



More information about the Kerberos mailing list