Kerberos, Windows and FreeIPA

Jean-Christophe GAY at
Sat Oct 24 15:04:47 EDT 2015


I think this may be working. When I was trying to make Microsoft's AD to authenticate to a Kerberos server and not the AD controlleurs we managed to get a stand alone windows to authenticate to a RHEL MIT KDC. I'm not at work atm so I can't check this on our wiki, but theses may be able to help you :

Jean-Christophe Gay

----- Mail original -----
> De: "Russ Allbery" <eagle at>
> À: "Randolph Morgan" <randym at>
> Cc: kerberos at
> Envoyé: Vendredi 23 Octobre 2015 22:17:36
> Objet: Re: Kerberos, Windows and FreeIPA
> Randolph Morgan <randym at> writes:
> > We are running a mixed environment network.  However, all of our
> > authentication is performed via LDAP, we do not have an AD on our
> > network, nor do we have any Windows servers, all of our servers are
> > running RHEL.  We are working on implementing a new authentication
> > server that is running FreeIPA, but would like to do single sign-on via
> > Kerberos.  I have been reading posts for the better part of two weeks
> > and can not find instructions that work, on how to get Windows (XP - 10)
> > to authenticate via Kerberos.
> There used to be various workarounds that would let you do this, but when
> we asked Microsoft about it, they said it was officially unsupported and
> very likely to break.  I think subsequent releases of Windows may have
> broken it.
> I believe the only supported way to get a Windows system to use Kerberos
> for its integrated login is to join the host to a domain (whether AD or
> Samba).
> You can, of course, run Kerberos software on unjoined Windows hosts, get
> tickets, and authenticate to Kerberos services without any trouble.  The
> problems arise when you want the core OS stuff to use Kerberos directly,
> since I believe all of that is effectively gated on being domain-joined.
> --
> Russ Allbery (eagle at              <>
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list