[37262] in Kerberos
Re: syncing MIT Kerberos to Active Directory
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mantas_Mikul=c4=97nas?=)
Mon Oct 19 17:41:40 2015
To: Tony Pugielli <tpugielli@tti-wireless.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
From: =?UTF-8?Q?Mantas_Mikul=c4=97nas?= <grawity@gmail.com>
Message-ID: <562557F8.60209@gmail.com>
Date: Mon, 19 Oct 2015 23:52:08 +0300
MIME-Version: 1.0
In-Reply-To: <bbc0296fdd8b47d7b5265cc381399591@WEBMAIL.tti-wireless.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 2015-10-04 18:30, Tony Pugielli wrote:
> Good day, I have an environment with MIT Kerberos and Active Directory. Is there a way to keep both databases (username and password) in sync? The use case is 802.1x authentication. EAP-GTC is not native to many devices so we want to use Active Directory so we can take advantage of the more widely native supplicant PEAP-MSCHAPV2. We would prefer the user only need to keep track of one username and password. Right now the Kerberos MIT database is widely used for their single sign-on applications.
AFAIK, you don't strictly need AD for that – if EAP is handled by
FreeRADIUS, kcrap-lnf can handle MSCHAPv2 (i.e. the part ntlm_auth
usually handles) directly using the MIT KDC database, as the rc4-hmac
keys are compatible with what MSCHAPv2 needs.
--
Mantas Mikulėnas <grawity@gmail.com>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
