syncing MIT Kerberos to Active Directory

Mantas Mikulėnas grawity at
Mon Oct 19 16:52:08 EDT 2015

On 2015-10-04 18:30, Tony Pugielli wrote:
> Good day, I have an environment with MIT Kerberos and Active Directory. Is there a way to keep both databases (username and password) in sync? The use case is 802.1x authentication. EAP-GTC is not native to many devices so we want to use Active Directory so we can take advantage of the more widely native supplicant PEAP-MSCHAPV2. We would prefer the user only need to keep track of one username and password. Right now the Kerberos MIT database is widely used for their single sign-on applications.

AFAIK, you don't strictly need AD for that – if EAP is handled by
FreeRADIUS, kcrap-lnf can handle MSCHAPv2 (i.e. the part ntlm_auth
usually handles) directly using the MIT KDC database, as the rc4-hmac
keys are compatible with what MSCHAPv2 needs.

Mantas Mikulėnas <grawity at>

More information about the Kerberos mailing list