[36765] in Kerberos
RE: Establish FAST encrypted channel between linux client and windows
daemon@ATHENA.MIT.EDU (Wilper, Ross)
Mon Feb 9 11:51:26 2015
From: "Wilper, Ross" <rwilper@slac.stanford.edu>
To: Faisal Ali <faisal.ali.101@gmail.com>,
"kerberos@mit.edu"
<kerberos@mit.edu>
Date: Mon, 9 Feb 2015 15:50:00 +0000
Message-ID: <76fcd0c9020543edad8b0a8f954332bd@exch13-mail04.win.slac.stanford.edu>
In-Reply-To: <CAPRB653gaNLG8TK1tja-EWUMdgGx_4B-PYXW4TrTXGyJOOzLyQ@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I would be interested to see if you can make this work. It's been a while since I've looked into this and did not get very far.
It sounds like you are on the right path - one of the gotchas is that AD does not seem to support pkinit null, which is what many Kerberos implementations do to create the armor. What Windows machines do is to use the computer account as the armor for the user account logon. This may actually be a requirement (that the armor be a computer account) because the AD KDC wants to have both involved in the logon interaction so as to generate computer and user claims into the resulting ticket. I hope that I am wrong on that.
-Ross
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Faisal Ali
Sent: Monday, February 9, 2015 5:55 AM
To: kerberos@mit.edu
Subject: Establish FAST encrypted channel between linux client and windows server
I am trying to setup windows server for FAST encrypted channel support to test OTP pre authentication in kerberos.
I have already tested on linux machine by deploying KDC using krb5-1.12.1 source code, freeradius server and using keytab of service principal to receive armor ccache to be used to establish FAST encrypted channel between client and KDC.
I have setup windows server 2012 for kerberos, and added support for "KDC support for claims, compound authentication and Kerberos armoring" policy on it. I can receive TGT for service principal. But, when I execute the command "kinit -T <armor-cache> <principal>", KDC does not reply with any padata and no FAST encrypted channel is established (observed through wireshark log and Kerberos library logs).
Is it possible to establish a FAST encrypted channel between linux client and Windows AD? Have I missed any setting?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
