[WinPartners] Authenticate Kerberos on Windows Login

Paul B. Hill pbh at MIT.EDU
Wed Oct 6 16:26:31 EDT 2004 

Since Windows 2000 the default authentication mechanism used by Windows
(2000, XP, and Server 2003) is Kerberos, within the context of a Windows
Domain. As Steve Dowdy has pointed out, the WIN.MIT.EDU domain supports
cross-realm Kerberos authentication which enables MIT user to authenticate
to the Domain using their MIT (aka Athena) username and password.

However, if the Windows machine is not part of the WIN.MIT.EDU domain,
cross-realm Kerberos authentication cannot be used to authenticate to
resources within the WIN Domain. 

Less well known is the fact that it is possible to configure a non-Domain
machine, i.e. a workgroup machine or stand-alone machine, so that the
initial authentication mechanism is Kerberos. Microsoft does publish a paper
that covers the generic setup steps. If you look at
<http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.a
sp> and scroll down to the section that says "Using an MIT KDC with a
Standalone Windows 2000 Workstation" you will find the basic procedure
described. 

Please note that instructions provided above will not result in the complete
single sing-on integration that Steve described in his message. Further
configuration steps would need to be performed. Also, the other benefits of
a Windows Domain would not be realized in such a configuration.

If you have further questions on this topic please don't hesitate to ask.

Paul B. Hill
Operations and Infrastructure Services
Information Services & Technology    

-----Original Message-----
From: winpartners-bounces at MIT.EDU [mailto:winpartners-bounces at MIT.EDU] On
Behalf Of Michael Maier
Sent: Tuesday, October 05, 2004 8:51 PM
To: winpartners at mit.edu
Subject: [WinPartners] Authenticate Kerberos on Windows Login

I wanted to find out if there was a away possible to have kerberos 
authenticate on login to a windows machine.  I know this is possible to do 
with a Mac under OSX, but I have not found a way to be able to do this with 
a windows based machine.  If anyone knows if this is possible and knows 
where I can find instructions on doing so, it would be greatly appreciated.

	Thanks,
	Mike

_______________________________________________
winpartners mailing list
winpartners at mit.edu
http://mailman.mit.edu/mailman/listinfo/winpartners

More information about the winpartners mailing list