MIT Kerberos Client and MSLSA Cache

Meike Stone meike.stone at googlemail.com
Mon Apr 20 10:15:46 EDT 2015


Hello Benjamin,

2015-04-17 22:18 GMT+02:00 Benjamin Kaduk <kaduk at mit.edu>:
> On Fri, 17 Apr 2015, Meike Stone wrote:
>
>> Hello dear list,
>>
>> I have Windows 7 workstations, not joined to a AD Domain.
>> I like to use MIT Kerberos client to authenticate to a Kerberos server
>> and run several programs using Kerberos to authenticate.
>> The MIT client is installed and running, I get a krbtgt and if I use
>> Firefox with network.auth.use-sspi=false, Firefox uses Kerberos as
>> well.
>>
>> But my problem are applications that using only the MSLSA Kerberos
>> cache (for example SAP-GUI via gsskrb5.dll) (SSPI)
>
> SAP-GUI will use gssapi32.dll just fine, for what it's worth (we use it
> that way at MIT).
>
>> Is is possible, to configure the MIT-Kerberos client to use this cache (too)?
>
> It is possible to configure MIT Kerberos to use that cache, though it is
> not very well exposed in the GUI at the moment.  You can set
> HKCU\Software\MIT\Kerberos5\ccname to "MSLSA:" in the registry to make it
> the default, or explicitly run kinit.exe -c MSLSA: <principal> from
> cmd.exe to just get a ticket.  (Once you have a ticket, the "make default"
> button will set the registry entry for you.)

That works absolutely fine! Thanks :-D

>
> However, with the currently released versions, if you have UAC enabled,
> the non-SSPI clients will not work.  If you do not have UAC enabled, they
> will not work very well (they will wait for some DNS timeouts) unless you
> set
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\REALM.NAME\KdcNames
> to a multi-string entry with the DNS names of the KDCs for the realm's
> KDCs.

I've seen this before, that's what Microsoft does if ksetup.exe is invoked!
But on a test PC, I dropped that configuration and it works as well,
no (appreciable) timeout seen, but I haven't sniffed.
I'll digging deeper soon!

>
> There are several improvements on master that have not made it into a
> release yet; I hope to put out a KfW 4.1 release in the next couple of
> months which includes them.

What improvements?

>
>> Using ksetup and logon to the kerberos real works, but I don't can
>> make that deep changes on the  Windows workstations (e.g. ne
>> userprofile, etc ....).
>
> I'm not sure I understand this paragraph.

I mean the using of Microsofts Kerberos Client (W7 included / W2k3 in
support tools),
configured by ksetup.exe - Installation without MIT-Kerberos Client!
That solution is working as well, but the user must logon to the
Kerberos "domain" and
the user gets a new profile! Microsofts "kinit" is only invoked during
the logon process.

>
>> Main cause it to get running the SAP-GUI, using Kerberos to authenticate!
>> Mayby someone has an idea to get this running on a simple workstation
>> without domain or Kerberos membership.
>
> I am surprised that it is not working; maybe the version of SAP GUI that
> MIT distributes internally has some custom config in place.  In any case,
> you should be able to set SNC_LIB to point to the gssapi32.dll library and
> avoid the MSLSA: cache.

Yes, now It works - Thanks!

But one question. I tried the same on Windows 2003, But it didn't work.
We have a few stand alone Terminal servers, managed from other
departments (same with the Windows 7 PC's)
Is it possible to do that with Windows 2003 too - would be very nice!

Thanks Meike


More information about the Kerberos mailing list