f



Login to XP workstation in WIndows Server 2003 2k3 AD domain with MIT kerberos KDC

I am new to Kerberos and I probably have the terminiology wrong so I
apologize right off.

We are trying to build an environment where students are allowed to
log into a Windows XP desktop workstation that is part of a Windows
Server 2003 (we could use win2k3 or win2000 if need be...) Active
Directory domain, but we would like them to authenticate to an MIT
Kerberos KDC through a trust arrangement. We don't want the MIT
Kerberos KDC to have to know and trust each individual workstation, we
want it to only know about the Windows Server 2003 domain controller.
In other words I don't want to point 100 XP workstations at the KDC
for authentication, I want them to just sign into the AD domain but
get authenticated by the fact that they have a valid account in the
MIT kerberos KDC.

Is this even possible?

TIA

tj
0
1/14/2005 8:52:46 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

3 Replies
761 Views

Similar Articles

[PageSpeed] 1

> Active Directory domain, but we would like them to authenticate to an MIT
> Kerberos KDC through a trust arrangement. We don't want the MIT
> Kerberos KDC to have to know and trust each individual workstation, we
> want it to only know about the Windows Server 2003 domain controller.
> In other words I don't want to point 100 XP workstations at the KDC
> for authentication, I want them to just sign into the AD domain but
> get authenticated by the fact that they have a valid account in the
> MIT kerberos KDC.
> 
> Is this even possible?

Yes that's possible. It should be quite easy to setup (some time ago I 
got it to work). Take a look at:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

The section "Setting Trust with a Kerberos Real" is relevant for your 
needs. Don't forget to create the account mapping in the AD directory 
for each user (this is needed because of the Windows authorization 
model, i.e. Windows needs to know in which (domain-)groups you are etc).

Note: this setup will only allow Kerberos authentication, no NTLM will 
be available (under some circumstances Windows will transparantly fall 
back to NTLM, e.g. if you want to access the shares of computer using a 
plain IP-address such as \\192.168.10.12\share_name).
The current Samba 3.x branch doesn't support cross-realm trusts with 
non-Windows realms, AFAIK.
Your KDC should be allowed to issue DES keys because I think for 
cross-realm trusts between AD and MIT krb5 these have to be DES ones.

Hope this will help you.

Thomas
0
1/15/2005 9:10:07 AM
Thomas Schweizer wrote:
> Note: this setup will only allow Kerberos authentication, no NTLM will 
> be available (under some circumstances Windows will transparantly fall 
> back to NTLM, e.g. if you want to access the shares of computer using a 
> plain IP-address such as \\192.168.10.12\share_name).
> The current Samba 3.x branch doesn't support cross-realm trusts with 
> non-Windows realms, AFAIK.
> Your KDC should be allowed to issue DES keys because I think for 
> cross-realm trusts between AD and MIT krb5 these have to be DES ones.

Windows 2003 SP1 will support RC4-HMAC for cross-realm trusts.
You need to use the 2003 SP1 Support Tools version of ktpass.exe
in order to generate keytabs with RC4-HMAC keys.

Something very important to note.  If you turn on or off the "use
DES only" key or change the SPN associations for an account, you
must remember to perform a "reset password" operation on the account
in order for the changes to work correctly.

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
0
jaltman2 (417)
1/15/2005 2:57:06 PM
Is this a side effect of the salt contining the old principal name,
and AD storing a password? Can one tell ids the salt is correct
by looking the suggested salt in a error response to a AS_REQ?


Jeffrey Altman wrote:
> Thomas Schweizer wrote:
> 
>>Note: this setup will only allow Kerberos authentication, no NTLM will 
>>be available (under some circumstances Windows will transparantly fall 
>>back to NTLM, e.g. if you want to access the shares of computer using a 
>>plain IP-address such as \\192.168.10.12\share_name).
>>The current Samba 3.x branch doesn't support cross-realm trusts with 
>>non-Windows realms, AFAIK.
>>Your KDC should be allowed to issue DES keys because I think for 
>>cross-realm trusts between AD and MIT krb5 these have to be DES ones.
> 
> 
> Windows 2003 SP1 will support RC4-HMAC for cross-realm trusts.
> You need to use the 2003 SP1 Support Tools version of ktpass.exe
> in order to generate keytabs with RC4-HMAC keys.
> 
> Something very important to note.  If you turn on or off the "use
> DES only" key or change the SPN associations for an account, you
> must remember to perform a "reset password" operation on the account
> in order for the changes to work correctly.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
1/17/2005 6:52:25 PM
Reply:

Similar Artilces:

XP Workstation logging into Windows 2000/2003 AD Domain using MIT Kerberos KDC
I am pretty new to Kerberos so I may mess up the terminology. We have had a couple of people attempt what I am describing below and we have failed so far. I just wanted to consult the group with the basic "is this possible" question first, then expand on to broader questions like "who has done it" and "how is it done" We have a student lab of Windows XP computers and we want the students to have to authenticate to use them. We have an MIT Kerberos KDC that "knows" all the students but we do not want the MIT KDC to have to know each and every XP workstation. We would like to set up a Windows Server 2003 (or 2000 if that makes a difference) AD Domain Controller that the students log into, but we ant that AD Domain controller to contact the MIT KDC for authentication purposes. If we have to create explicit user accounts for each student in the Windows Active Directory Domain we will, but if we could map them all to a single account that would also be good. In other words, we are willing to let the MIT KDC talk to the Windows AD Domain Controller, not all the workstations. We want the XP workstations to contact the Windows Domain Controller and have the Windows Domain COntroller touch base with the MIT KDC to authenticate them. I have set up a Windows Server 2003 AD Domain controller, It is all working well from a DNS point of view. It is actually talking to the MIT KDC but so far all I have gotten is Windows error from the tickets ...

Problems with windows 2003 KDC and MIT kerberos
I have been having problems with getting a keytab file on a windows 2000 client running the MIT Kerberos utilities to interface properly with a windows 2003 KDC. I had the same client working correctly when the KDC was a windows 2000 server. The command "kinit rdop@INFRASTOR.US" works correctly but when I attempt to use "kinit -k" I get the following error message kinit(v5): Cannot find KDC for requested realm while getting initial credentials My krb5.ini file is as follows [libdefaults] ticket_lifetime = 600 default_realm = INFRASTOR.US default_keytab_name = C:/WINNT/krb5.keytab default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc [realms] INFRASTOR.US = { kdc = 192.168.0.3 admin_server = 192.168.0.3 } [domain_realm] .infrastor.us = INFRASTOR.US infrastor.us = INFRASTOR.US "klist -k -t -K" gives the following results. Keytab name: FILE:C:/WINNT/krb5.keytab KVNO Timestamp Principal ---- ----------------- ---------------------------------------- 3 07/28/04 17:52:06 rdop@INFRASTOR.US (0x158cefb5d56d5eab) This problem is frustrating because I had the system working correctly prior to upgrading the KDC to a windows 2003 machine. I need some suggestions on where to look next. kdkirmse wrote: > > I have been having problems with getting a keytab file on a windows > 2000 client running the MIT Kerberos utilities to interface properly > with a windows 2003 KDC. I had the same client working corr...

Connecting Windows 2003 to separate MIT Kerberos Server?
Hi! My name is Tomas and I'm trying to set up MIT Kerberos on a Linux server and I would like Microsoft Windows 2003 Server (and all clients connected to it) to my "Linux Kerberos" instead of the native one in Windows. Maybe I have misunderstood some parts here and there and I'm a beginners when it comes to Kerberos (started reading about it a couple of days ago) but I have chosen this as my final project, I'm studying to become a (junior) Linux administrator. I have Googled and looked into some documents but I can find anything useful that helps me do what I want. So if you can tell me if it's possible to make Windows 2003 Server to use an separate MIT Kerberos server and how it's done then I would be very happy. P.S I'm only having a couple of days to complete the project so time is of the essence. D.S Thank you. Best regards /Tomas Gustavsson ...

Architecture Question between Windows 2003 and Unix Mit Kerberos Server
Hi, We have a Windows 2003 Server with Active Directory. Windows 2003 Server has it own implementation of Kerberos V5 ( right ? ). Windows 2003 Server manages the accounts into Active Directory. We have a Linux MIT Kerberos Server. MIT Kerberos has a user account database ( user = principals ? ). What we want : Authenticate against the MIT Kerberos Server using a Windows account. I don't know how to do that. Should users in Windows 2003 be replicated in the MIT Kerberos Server ? Should Mit Kerberos be able to ask the Windows 2003 Server for authentification if the user doesnot exist in the database ? Is the Mit Kerberos server a slave and Windows 2003 the master ? Thanks to help me ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Michenaud Laurent wrote: > Hi, > > We have a Windows 2003 Server with Active Directory. > Windows 2003 Server has it own implementation of Kerberos V5 ( right ? ). > Windows 2003 Server manages the accounts into Active Directory. > > We have a Linux MIT Kerberos Server. > MIT Kerberos has a user account database ( user = principals ? ). Yes to both. > > > What we want : > Authenticate against the MIT Kerberos Server using a Windows account. > I think I know what you mean. You can have two realms. The Windows realm, and the MIT realm. lets call them AD.ADEUZA.FR (The name of the Windows do...

step by step guide for Windows 2003 Server and MIT Kerberos trust?
Hallo Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only find the old one for W2K and I hope there are some changes between W2K and W2K3. thanks Dominik "D. Schikora" wrote: > > Hallo > > Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only > find the old one for W2K and I hope there are some changes between W2K and > W2K3. Not that I know of. Note that when you use ktpass command and use the DesOnly flag, this is saved in the AD. 2000 will the use an enctype of des-cbc-crc, where as 2003 will use des-cbc-md5 when generating tickets for a server. What this means is that you may need to have two keys in a server's keytab if you are converting from 2000 to 2003. one for each enctype. They both have the same key, and kvno but different enctypes. (Microsoft should have had two flags.) > > thanks > > Dominik > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Douglas E. Engert wrote: > > "D. Schikora" wrote: > >>Hallo >> >>...

Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
Hi all, I followed the steps for a cross-realm setup between the MIT KDC and AD according to O'reilly's Definitive Guide book: - specifying KDC's using ksetup on the participating Windows machines - creating principals krbtgt/domain@realm and krbtgt/realm@domain in the MIT KDC - creating a 2 way trust in the AD - mapping an AD user to a user in the MIT KDC However, when I try to logon to the Kerberos realm from a Windows machine using the credentials of the MIT KDC user, I get an error that the system could not log me on because the username or domain is incorrect. Has anyone come across a similar problem before? Thanks much in advance, Nivedita. ...

XP Professional in Windows 2003 domain/ sharing printers between XP workstations
I actually have two questions, but I'm thinking one answers the other. The network consists of a Windows 2003 server and several windows xp professional workstations. The windows 2003 server has been dcpromo'd to a PDC... On the XP workstation- if the user logs into the domain they can not edit things like devices in device manager because that user does not have administrative rights. When logged in to (this computer) instead of domain, the user can access things like device manager. I'm assuming that this is because when logged into (this computer) the local permi...

Kerberos and Windows 2003 Server
Hi, I'm searching a good tutorial how to install and configure a windows 2003 server. I have already installed the Mit Kerberos server on Linux. I don't know if i have done it well ( the instructions i've done are below ). On the Windows 2003 Server, i've got 2 errors in the event log : KDC_ERR_BADOPTION KDC_ERR_S_PRINCIPAL_UNKNOWN Any help would be appreciated. Thx **** File : /etc/kerberos/krb5.conf [libdefaults] ticket_lifetime = 36000 default_realm = TSTADEUZA.FR default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc [realms] TSTADEUZA.FR = { kdc = kerberos.tstadeuza.fr:88 admin_server = kerberos.tstadeuza.fr:749 default_domain = tstadeuza.fr } [domain_realm] .tstadeuza.fr = TSTADEUZA.FR tstadeuza.fr = TSTADEUZA.FR [logging] kdc = FILE:/var/kerberos/log/krb5kdc.log admin_server = FILE:/var/kerberos/log/kadmin.log default = FILE:/var/kerberos/log/krb5lib.log **** Link ln -s /etc/kerberos/krb5.conf /etc/krb5.conf ***** File /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88,750 [realms] TSTADEUZA.FR = { database_name = /var/kerberos/krb5kdc/principal admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /var/kerberos/krb5kdc/kadm5.dict key_stash_file = /var/kerberos/krb...

Kerberos MIT + windows workstations
Hi, I have a working Kerberos/LDAP environment. Now I'm trying to authenticate Windows clients against Kerberos. I followed the instructions in http://sial.org/howto/kerberos/windows/ but get an error message at login. Unfortunately the message is in German: Sie k�nnen aufgrund folgenden Fehlers nicht angemeldet werden: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgef�hrt. This means that the account mapping does not work. On the server I can see that the authentication is successful. So there must be some problem after authentication. Can anybody point me to useful information on authenticating windows clients to Kerberos MIT, especially on automatic user profile creation. Thanks in advance Didi ...

ssh from windows xp (putty with kerberos) using NetIDMgr 1.1.8.0 (Kerberos for windows 3.1)
Has anyone got a version of putty to work with the Kerberos for Windows release 3.1? I'm running win xp and am able to get my kerberos 5 tokens fine (from CSAIL.MIT.EDU) in NetIDMgr, but I've tried various supposedly kerberos-aware versions of putty with no luck. Thanks. -- Greg -- Greg Sullivan gregs@csail.mit.edu (617)417-4746 (cell) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

MIT Kerberos clients and Windows KDC
Hi all, I am trying to make an embedded device part of the windows domain and use windows DC as KDC for my embedded divice. Embedded device has MIT Kerberos. I am using GSS API . * How can we get the TGT for the server programatically ( transperently ) with out user intervention ? * If the device restarts, then do I need to store the TGT in persistent memory ? * If I am not wrong, microsoft adds the PAC data which no limitation of size. I have memory constraints. Is it required to store the TGT in non volatile memory ? I need this info since I am trying to find in case if the embedded device reboots ,then do I need to store the TGT in non volatile memory or I can get it again after the device comes up. * Assuming that a client is accessing services on embedded device via Kerberos and there is already a successful kerberos session is established. If at this point, if the embedded device reboots and the device gets TGT again, will it alter the communication in any way ? Could anybody please respond to these queries? Regards in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com, sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54 AM: > Hi all, > > I am trying to make an embedded device part of the windows domain and > use windows DC as KDC for my embedded divice. Embedded device has MIT > Kerberos. I am using GSS API . > > * How can we get the TGT for the server programatically ( transperently > ) with out u...

Re: Kerberos MIT + windows workstations
>This means that the account mapping does not work. On the server I can >see that the authentication is successful. So there must be some problem >after authentication. Did you create a local Windows account for the user? -- Luke -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Luke Howard wrote: >> This means that the account mapping does not work. On the server I can >> see that the authentication is successful. So there must be some problem >> after authentication. >> > > Did you create a local Windows account for the user? > > -- Luke > > -- > No, that's what I want to avoid since we have some 1000 workstations. ;-) I'm thinking(dreaming?) of an equivalent to pam_mkhomedir.so or maybe a windows logon script that does the job. -- Dieter ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >No, that's what I want to avoid since we have some 1000 workstations. ;-) >I'm thinking(dreaming?) of an equivalent to pam_mkhomedir.so or maybe a >windows logon script that does the job. It's possible but it gets tricky, and because each local account will have a different SID, authorization becomes messy. Microsoft have made this difficult unless you deploy Active Directory or a compa...

MIT Kerberos interoperability with Windows KDC?
Hi All, Are there any significant interoperability issues between MIT Kerberos runtime library and Microsoft Windows (2000, XP, and 2003 Server) KDC? Is the conversion of Microsoft KDC ticket to MIT Kerberos standard ticket (known as the process of ms2mit) done transparently in MIT Kerberos runtime library? Or, is there an API which can be called by applications for doing ms2mit? I am new to this list and the above questions may have been asked before. Pointing to some existing FAQ or resources will also be appreciated. Thanks. -- Kevin __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kevin: In Kerberos for Windows 2.5, if you are running the Leash ticket manager at startup Microsoft credential importation will occur automatically. In KfW 2.6, in addition to automatic importation by the Leash ticket manager there is also a new krb5 ccache type, "MSLSA:", which can be used by applications to cause ticket retrieval to be performed via the MS Kerberos LSA cache for the current logon session user instead of the default MIT credentials cache. KfW 2.6 is currently in beta. Downloads are available from the MIT web site. Jeffrey Altman KFW Maintainer Kevin Wang wrote: > Hi All, > > Are t...

Mit kerberos client with windows AD
Hi All, is it required that, for a linux client application to get tickets from windows AD, the linux box have to join the windows domain ? -- Regards, Rasanth ...

MS Exchange Kerberos Login to MIT KDC
Hi, With reference to the following posting: http://www.mail-archive.com/kerberos@mit.edu/msg06133.html Is there any follow-up information whether it is possible for users that do not belong to Windows domain (like those belong to workgroup) to logon to exchange server using OWA with their accounts in MIT KDC ? Thanks, lara ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ --------------------------------- Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Lara" == Lara Adianto <m1r4cle_26@yahoo.com> writes: Lara> Hi, With reference to the following posting: Lara> http://www.mail-archive.com/kerberos@mit.edu/msg06133.html Lara> Is there any follow-up information whether it is possible Lara> for users that do not belong to Windows domain (like those Lara> belong to workgroup) to logon to exchange server using OWA Lara> with their accounts in MIT KDC ? They could probably do so if you use the Outlook client and you have the Umich cross-realm ...

R: Multiple AD domains and MIT Kerberos
Hello, We have a situation where we are trying to get AIX Kerberos to interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to get the krb5.conf configuration to allow for the SPN to be registered in an account that is not in the root domain of the forest. Example- Forest- Example.exm Dom1.example.exm Dom2.example.exm SubDom.Dom2.example.exm How do you configure the krb5.conf file to understand that the keytab file is coming from an account in Dom1.example.exm (SPN= http\web.example.com), yet the AIX machine should allow any Windows account from any of the domains in the forest to authenticate to the AIX machine? We believe it would have something to do with the [realms] and/or [capath] settings... but cannot get it configured to accept authentication from all domains unless the account with the target SPN is in the root domain and all sub-domains then share a contiguous name space. As son as we place the target SPN on a sub-domain account only users from that domain can authenticate... all other domains cannot. Any help would be appreciated. Thanks! Eric Schwarz MCSE, MCT, Security+ Server/ Active Directory- Team Lead Windows Security Services C01910 Systems Technology phone- (309) 763-2873 mobile- (309) 319-3238 email- eric.schwarz.nrla@statefarm.com hpsd- SERVER-WINSECURITY (WG2716) WinSecurity Change Management (WG2811) ________________________________________________ Kerberos mailing list Kerberos@mit.edu ...

Attempting Windows 2003--MIT Kerberos interop
Hi all, I've been attempting to set up a Windows Server 2003 machine as a Domain Controller and KDC (which I believe I've done, though it's a little hard to tell for certain) and have MIT kerberos clients talk to it (with the eventual goal of testing GSS-TSIG interop). The only Windows-MIT kerberos interop documentation I can find anywhere is for Windows 2000, not Windows 2003, and it utilizes various utilities from the Windows 2000 Resource Kit, most significantly ktpass.exe. The Windows 2003 Resource Kit downloadable from microsoft.com does not appear to include this program (it includes kerbtray [a graphical system tray widget to view currently-held tickets] and klist, but that seems to be all as far as kerberos is concerned). I read a thread on this list from 2003.08.11-2003.08.13 entitled, "Interoperability with windows 2003 KDC and MIT kerberos V," which seemed to suggest that somebody had got it working. Can anybody give me any suggestions/pointers to information which might help me in my endeavour? In the thread mentioned above, there was mention of some third- party product (Vintela Authentication), but I don't think it would be appropriate to rely on a third-party product in this case. Regards, sj -- Stephen Jacob | Stephen.Jacob@nominum.com | +1 650 381 6051 Nominum, Inc. | http://www.nominum.com/ | "Communication by Name" ________________________________________________ Kerberos mailing list Kerberos@mit.edu ht...

RE: Java Kerberos and Windows 2003 Server
Seema Now, I've configured the client to use TCP only (I've set "udp_preference_limit = 1" in krb5.ini). That solves the problem so far. In fact I realiszed that it wasn't only a problem with kinit, but with the GSS-API as well. (Maybe the GSS-API uses kinit internally?). The problem occurs when the packets are too large for UDP and the client switchs to TCP. The error seems to occur during the TCP-fallback. Here is a part of the stack trace: java.lang.IllegalAccessError: tried to access class sun.security.krb5.KrbKdcReq from class sun.security.krb5.internal.az .... Claude -----Original Message----- From: Seema Malkani [mailto:Seema.Malkani@Sun.COM] Sent: Sunday, June 20, 2004 7:57 PM To: Rouiller Claude Subject: Java Kerberos and Windows 2003 Server Rouiller Claude, You have posted following problem in the java forums. Would like to get more info on this problem. Please send me the details. ----- Java forums ------- - Krb5LoginModule works all right. - kinit only works with UDP (small tickets) and crashes when it has to try with TCP (large tickets) Am I right? (please tell me if you managed to get a (large) ticket using kinit and TCP) Of course, this applies if you use JDK 1.4.2 on Windows XP and a Windows 2003 KDC. ----- Java forums ------- Thanks, Seema ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Samba file server on AD Kerberos Domain
Hello, I'm new to samba. I would like to share files with our existing Windows AD Kerberos domain. I would like to have the AD domain take care of all authentication and I don't want to have to add accounts to /etc/passwd. I have configured smb.conf (below). I then created a computer account in the Active Directory. Finally I joined the domain with "net join" and was told "Joined SAMBASERVER to realm MYAD.DOMAIN". It seemed that all was well, but now when I browse to the file share from a Windows client it pops up with a dialog box asking for ...

Kerberos on Win2K prof and windows server 2003
Hi I have the next report: Event Type: Error Event Source: Kerberos Event Category: None Description: The Kerberos client receiveda KRB_AP_ERR_MODIFIED error from the server COMPUTER22$. The target name used was cifs/COMPUTER15.domain.com. This indicates etc. etc. Computer22 is not a server Computer15 is not a server I've renamed the computeraccounts. I've deleted the computeraccounts and re-create it. But nothing help. Have anyone a sugestion??? With kind regards, Frans Oudendorp ...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Password change (MIT kerberos & Windows AD)
Hi I have following problem. MIT kerberos working together with Windows 2000 domain with cross-realm trust. Users can authenticate themselves in W2K workstation against MIT kerberos realm. As I see everything works fine with authentication. But.... When user attempts to change his/her Kerberos password password change attempt fail with following error: "Unable to change the password on this account due to the following error: 1326: Logon Failure : unknown user name or bad password" Currently we have implemented Kerberos user names with first capital letter. For testing purpouse I created user name with only small letters. And Voila. Password changed successfully. So when user name consist only small letters password change works but when user name first letter is capitalized password change does not work..... Where is the problem???? ****** kdc.log Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3 1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3 tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?) request from 192.168.0.100, resending previous response Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated (retransmitted?)...

Problem configuring kerberos delegation on a windows 2003 domain
Hi all, I�ve been trying to configure Kerberos delegation on a Windows 2003 domain but I haven't got any good result yet. I followed a Microsoft Document on [1] to configure Kerberos in order to build a .NET 2.0 SOA solution. The following is the Kerberos trace when I try to access page A in a scenario like this: IE -----> Page_A.aspx ----> Service_A.asmx WebApp on IIS WebService on IIS Server A The same server A App pool on domain App pool on domain account A account B Kerberos trace: --------------- 500.652> Kerb-Bnd: Calling kdc 129.170.140.8 for realm SMNYL.COM.MX 500.652> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c HTTP a_service.smnyl.com.mx 500.652> Kerb-Warn: KerbGetTgsTicket KerbCallKdc: error 0x7 500.652> Kerb-Warn: Failed to get TGS ticket for service 0xc000018b : HTTP a_service.smnyl.com.mx 500.652> Kerb-Warn: d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 3833 500.652> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled 500.652> Kerb-Warn: TARGET_UNKNOWN for SMNYL.COM.MX\account_a LogonId 0:0xfbc9, target HTTP a_service.smnyl.com.mx 500.652> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0xc000018b --------------- ASP.NET error --------------- Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your...

Web resources about - Login to XP workstation in WIndows Server 2003 2k3 AD domain with MIT kerberos KDC - comp.protocols.kerberos

Workstation - Wikipedia, the free encyclopedia
This article is about the type of computer. For workstations in music production, see music workstation . For furniture, see cubicle and computer ...

Workstation - Wikipedia, the free encyclopedia
This article is about the type of computer. For workstations in music production, see music workstation . For furniture, see cubicle and computer ...

App Store - iCAS — Workstation-class scientific computing for iOS devices!
Get iCAS — Workstation-class scientific computing for iOS devices! on the App Store. See screenshots and ratings, and read customer reviews. ...

workstation - Flickr - Photo Sharing!
i tend to photograph trin from above. possibly because she is little. colour

Citrix WinFrame 1.8 upgrade from Windows NT 3.51 Workstation - YouTube
This is my recording of doing an in place upgrade of the elusive Citrix WinFrame 1.8 version of Windows NT 3.51. I was able to do an in place ...

Active workstations
Active workstations mean we can burn calories and stay active while we sit.

Active workstations
Active workstations mean we can burn calories and stay active while we sit.

Active workstations
Active workstations mean we can burn calories and stay active while we sit.

Active workstations
Active workstations mean we can burn calories and stay active while we sit.

Fusion-IO Brings Flash Madness To Workstations, And Movies Like 'Hugo'
... the founding member of the AllThingsD Flash Madness Club , last summer’s hot IPO , said today it is bringing its flash technology to workstations. ...

Resources last updated: 3/10/2016 2:48:36 PM