[37847] in Kerberos
Re: Winlogon to MIT Kerberos KDC
daemon@ATHENA.MIT.EDU (Robert Wehn)
Wed Feb 1 06:44:23 2017
To: kerberos@mit.edu, Renyao Wei <renyao@vidaidentity.com>
From: Robert Wehn <robert.wehn@rz.uni-augsburg.de>
Message-ID: <d3b5f8fb-df0b-44ec-eb71-22efe28c30e6@rz.uni-augsburg.de>
Date: Wed, 1 Feb 2017 12:44:00 +0100
MIME-Version: 1.0
In-Reply-To: <977CEA43-7C00-4BB8-B358-C129B23F3854@vidaidentity.com>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Renyao,
I've played around with that several years (and Windows Versions) ago,
but still there should be two ways to go there:
A) The Windows Client is not joined to a AD or you want to map the MIT
user to a local user on every single machine. because the users (or
representations of the same persons) dont't exist in AD. This is done by
a local mapping in the registry, done by the
ksetup /mapuser
command. Try ksetup /? and ksetup /mapuser /? to find out the details
B) The Windows Client is part of a AD, and you have a representation to
every MIT user in the AD, ideally user with the same name like
renyao@MITREALM.MYDOMAIN.COM <=> renyao@MSAD.MYDOMAIN.COM <=> MSAD\renyao
Then you have to add a Kerberos Trust (AD Trusts MIT) between
MITREALM.MYDOMAIN.COM and MSAD.MYDOMAIN.COM and you have to do the
mapping to the user accounts:
The AD user renyao needs the attribute "altSecurityIdentities"
set/appended to/by "Kerberos:renyao@MITREALM.MYDOMAIN.COM"
Can be done by GUI (ADUC) with rigtclick on User -> all Tasks -> Name
Mappings -> Kerberos Names -> Add renyao@MITREALM.MYDOMAIN.COM
In Addition the Clients and the AD Controllers have to learn about the
Trust (and the KDCs, if not done in DNS), either by local configuration
(ksetup /addkdc and ksetup /hosttorealm) or by GPO (Policies ->
Administrative Templates -> System -> Kerberos -> "Define host
name-to-Kerberos realm mappings" "Define interoperable Kerberos V5 realm
settings").
Robert.
Am 24.01.2017 um 21:09 schrieb Renyao Wei:
> Hi,
>
> Does anyone know how to allow Windows machines to authenticate against a MIT Kerberos KDC during Winlogon? My understanding is that there are some trusts to be setup between Active Directory and MIT KDC. But internet does not offer much more than that.
>
>
> Best,
> Renyao
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
