Kerberos, Windows and FreeIPA

Jean-Christophe GAY jean-christophe.gay at dauphine.fr
Sat Oct 24 15:04:47 EDT 2015 

Hi,

I think this may be working. When I was trying to make Microsoft's AD to authenticate to a Kerberos server and not the AD controlleurs we managed to get a stand alone windows to authenticate to a RHEL MIT KDC. I'm not at work atm so I can't check this on our wiki, but theses may be able to help you :
http://serverfault.com/questions/129854/authenticating-windows-7-against-mit-kerberos-5
https://msdn.microsoft.com/en-us/library/bb742433.aspx

Cordialement,
Jean-Christophe Gay

----- Mail original -----
> De: "Russ Allbery" <eagle at eyrie.org>
> À: "Randolph Morgan" <randym at chem.byu.edu>
> Cc: kerberos at mit.edu
> Envoyé: Vendredi 23 Octobre 2015 22:17:36
> Objet: Re: Kerberos, Windows and FreeIPA
> 
> Randolph Morgan <randym at chem.byu.edu> writes:
> 
> > We are running a mixed environment network.  However, all of our
> > authentication is performed via LDAP, we do not have an AD on our
> > network, nor do we have any Windows servers, all of our servers are
> > running RHEL.  We are working on implementing a new authentication
> > server that is running FreeIPA, but would like to do single sign-on via
> > Kerberos.  I have been reading posts for the better part of two weeks
> > and can not find instructions that work, on how to get Windows (XP - 10)
> > to authenticate via Kerberos.
> 
> There used to be various workarounds that would let you do this, but when
> we asked Microsoft about it, they said it was officially unsupported and
> very likely to break.  I think subsequent releases of Windows may have
> broken it.
> 
> I believe the only supported way to get a Windows system to use Kerberos
> for its integrated login is to join the host to a domain (whether AD or
> Samba).
> 
> You can, of course, run Kerberos software on unjoined Windows hosts, get
> tickets, and authenticate to Kerberos services without any trouble.  The
> problems arise when you want the core OS stuff to use Kerberos directly,
> since I believe all of that is effectively gated on being domain-joined.
> 
> --
> Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list