[WinPartners] Authenticate Kerberos on Windows Login

Kerem B Limon k_limon at MIT.EDU
Wed Oct 6 11:29:02 EDT 2004 

Mike--

It is possible for Windows clients to authenticate to MIT Kerberos KDCs using
Microsoft's built-in Kerberos components. There are, however, caveats. I can
discuss details off-line if you like.

Briefly, if you're not using an Active Directory domain with a trust
relationship to the MIT Kerberos realm in question, you will need a host
principal for each machine and set the "computer password" to match the
password for that host principal. These are configured in the registry, and can
be done via a tool called Ksetup.exe, part of the Customer Support Tools
(included on the OS CDs for each flavor of Windows).

If you have an Active Directory domain, then you could set up a one-way or
two-way trust relationship to the MIT Kerberos realm (depending on what it is
you want to accomplish) and then configure machines in your Active Directory
domain with the MIT Kerberos KDCs and associated settings, again using
Ksetup.exe.

Both, of course, imply you need to have admin access to the MIT Kerberos realm
or an admin willing to make the changes on your behalf.

Either way, you can obtain Kerberos credentials for the MIT Kerberos realm via
the Windows login window. You can then further configure MIT Kerberos for
Windows to import your Kerberos credentials from the Microsoft credentials
cache to the MIT Kerberos credentials cache, which applications like MIT's SAP
and Eudora expect to find. There are instructions on doing these on TechNet
(and I can forward you mine).

There are some security considerations I've omitted here, beyond glossing over
the details. Due to limitations in Windows (at least the currently release
service pack versions), only certain encryption types will work for the passing
of credentials between the machines/any AD domain and the MIT Kerberos realm
KDCs. This may be a concern for the KDC admins. Similarly, trust between an
Active Directory domain and an MIT Kerberos realm, even one-way, creates
potential security risks for either or both domains. It is ultimately a matter
of what the admins of the particular Kerberos realm and/or Active Directory
domain are willing to risk vs. the benefits gained.

I would strongly encourage you to consider Steve's recommendation for
win.mit.edu. Not only are you likely to encounter (legitimate) pushback from
Kerberos admins regarding the kind of trust relationships/configuration changes
you wish to make, properly maintaining a local Kerberos infrastructure (or its
local extension) and integrating a sometimes less-than-cooperating Windows into
it is no simple task. Joining win.mit.edu also off-loads a lot of the
domain-level management tasks to the central authority, leaving you to be able
to focus on maintaining your own environment (with high granularity) and being
able to deliver the same things you are doing.

Regards,
Kerem


Quoting Stephen Dowdy <sdowdy at MIT.EDU>:

> If you put your machine in the MIT managed domain, you get MIT Kerberos 
> authentication when the user logs into the machine.  You can get your own 
> container from IS&T that you can manage.  Upon logging in, the user gets 
> K4, K5 and AFS tokens.  You can install software via group policy and 
> administer other machines in your container.  I have been very pleased with 
> the service and support and strongly recommend you look into obtaining your 
> own container and join the centrally managed domain.
> 
> See: 
> http://web.mit.edu/ist/topics/windows/server/winmitedu/index.html    for 
> more information.
> 
> 
> 
> At 08:51 PM 10/5/2004 -0400, Michael Maier wrote:
> >I wanted to find out if there was a away possible to have kerberos 
> >authenticate on login to a windows machine.  I know this is possible to do 
> >with a Mac under OSX, but I have not found a way to be able to do this 
> >with a windows based machine.  If anyone knows if this is possible and 
> >knows where I can find instructions on doing so, it would be greatly 
> >appreciated.
> >
> >         Thanks,
> >         Mike
> >
> >_______________________________________________
> >winpartners mailing list
> >winpartners at mit.edu
> >http://mailman.mit.edu/mailman/listinfo/winpartners
> 
> 
> _______________________________________________
> winpartners mailing list
> winpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/winpartners
> 


Kerem B. Limon
kerem.limon at mit.edu /e-mail

More information about the winpartners mailing list