Establish FAST encrypted channel between linux client and windows server
Faisal Ali
faisal.ali.101 at gmail.com
Wed Feb 11 07:49:01 EST 2015
http://kerberos.996246.n3.nabble.com/Creating-a-keytab-with-ktpass-under-a-Computer-account-td14074.html
I followed above link to create a computer account on Windows server and
generate keytab to be used for first kinit. It doesn't seem to work. Have I
employed wrong procedure or was this expected?
--------------
Faisal Ali
On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwilper at slac.stanford.edu>
wrote:
> I would be interested to see if you can make this work. It's been a while
> since I've looked into this and did not get very far.
>
> It sounds like you are on the right path - one of the gotchas is that AD
> does not seem to support pkinit null, which is what many Kerberos
> implementations do to create the armor. What Windows machines do is to use
> the computer account as the armor for the user account logon. This may
> actually be a requirement (that the armor be a computer account) because
> the AD KDC wants to have both involved in the logon interaction so as to
> generate computer and user claims into the resulting ticket. I hope that I
> am wrong on that.
>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Faisal Ali
> Sent: Monday, February 9, 2015 5:55 AM
> To: kerberos at mit.edu
> Subject: Establish FAST encrypted channel between linux client and windows
> server
>
> I am trying to setup windows server for FAST encrypted channel support to
> test OTP pre authentication in kerberos.
>
> I have already tested on linux machine by deploying KDC using krb5-1.12.1
> source code, freeradius server and using keytab of service principal to
> receive armor ccache to be used to establish FAST encrypted channel between
> client and KDC.
>
> I have setup windows server 2012 for kerberos, and added support for "KDC
> support for claims, compound authentication and Kerberos armoring" policy
> on it. I can receive TGT for service principal. But, when I execute the
> command "kinit -T <armor-cache> <principal>", KDC does not reply with any
> padata and no FAST encrypted channel is established (observed through
> wireshark log and Kerberos library logs).
>
> Is it possible to establish a FAST encrypted channel between linux client
> and Windows AD? Have I missed any setting?
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list