Winlogon to MIT Kerberos KDC

Robert Wehn robert.wehn at rz.uni-augsburg.de
Wed Feb 1 06:44:00 EST 2017


Hi Renyao,

I've played around with that several years (and Windows Versions) ago,
but still there should be two ways to go there:

A) The Windows Client is not joined to a AD or you want to map the MIT
user to a local user on every single machine. because the users (or
representations of the same persons) dont't exist in AD. This is done by
a local mapping in the registry, done by the
 ksetup /mapuser
command. Try ksetup /? and ksetup /mapuser /? to find out the details

B) The Windows Client is part of a AD, and you have a representation to
every MIT user in the AD, ideally user with the same name like
renyao at MITREALM.MYDOMAIN.COM <=> renyao at MSAD.MYDOMAIN.COM <=> MSAD\renyao

Then you have to add a Kerberos Trust (AD Trusts MIT) between
MITREALM.MYDOMAIN.COM and MSAD.MYDOMAIN.COM and you have to do the
mapping to the user accounts:
The AD user renyao needs the attribute "altSecurityIdentities"
set/appended to/by "Kerberos:renyao at MITREALM.MYDOMAIN.COM"
Can be done by GUI (ADUC) with rigtclick on User -> all Tasks -> Name
Mappings -> Kerberos Names -> Add renyao at MITREALM.MYDOMAIN.COM

In Addition the Clients and the AD Controllers have to learn about the
Trust (and the KDCs, if not done in DNS), either by local configuration
(ksetup /addkdc and ksetup /hosttorealm) or by GPO (Policies ->
Administrative Templates -> System -> Kerberos -> "Define host
name-to-Kerberos realm mappings" "Define interoperable Kerberos V5 realm
settings").

Robert.


Am 24.01.2017 um 21:09 schrieb Renyao Wei:
> Hi,
> 
> Does anyone know how to allow Windows machines to authenticate against a MIT Kerberos KDC during Winlogon? My understanding is that there are some trusts to be setup between Active Directory and MIT KDC. But internet does not offer much more than that. 
> 
> 
> Best,
> Renyao
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028


More information about the Kerberos mailing list