MIT Kerberos Client and MSLSA Cache
Benjamin Kaduk
kaduk at MIT.EDU
Fri Apr 17 16:18:08 EDT 2015
On Fri, 17 Apr 2015, Meike Stone wrote:
> Hello dear list,
>
> I have Windows 7 workstations, not joined to a AD Domain.
> I like to use MIT Kerberos client to authenticate to a Kerberos server
> and run several programs using Kerberos to authenticate.
> The MIT client is installed and running, I get a krbtgt and if I use
> Firefox with network.auth.use-sspi=false, Firefox uses Kerberos as
> well.
>
> But my problem are applications that using only the MSLSA Kerberos
> cache (for example SAP-GUI via gsskrb5.dll) (SSPI)
SAP-GUI will use gssapi32.dll just fine, for what it's worth (we use it
that way at MIT).
> Is is possible, to configure the MIT-Kerberos client to use this cache (too)?
It is possible to configure MIT Kerberos to use that cache, though it is
not very well exposed in the GUI at the moment. You can set
HKCU\Software\MIT\Kerberos5\ccname to "MSLSA:" in the registry to make it
the default, or explicitly run kinit.exe -c MSLSA: <principal> from
cmd.exe to just get a ticket. (Once you have a ticket, the "make default"
button will set the registry entry for you.)
However, with the currently released versions, if you have UAC enabled,
the non-SSPI clients will not work. If you do not have UAC enabled, they
will not work very well (they will wait for some DNS timeouts) unless you
set
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\REALM.NAME\KdcNames
to a multi-string entry with the DNS names of the KDCs for the realm's
KDCs.
There are several improvements on master that have not made it into a
release yet; I hope to put out a KfW 4.1 release in the next couple of
months which includes them.
> Using ksetup and logon to the kerberos real works, but I don't can
> make that deep changes on the Windows workstations (e.g. ne
> userprofile, etc ....).
I'm not sure I understand this paragraph.
> Main cause it to get running the SAP-GUI, using Kerberos to authenticate!
> Mayby someone has an idea to get this running on a simple workstation
> without domain or Kerberos membership.
I am surprised that it is not working; maybe the version of SAP GUI that
MIT distributes internally has some custom config in place. In any case,
you should be able to set SNC_LIB to point to the gssapi32.dll library and
avoid the MSLSA: cache.
-Ben
More information about the Kerberos
mailing list