[29890] in Kerberos
Re: what happens when kfw is disconnected
daemon@ATHENA.MIT.EDU (David Bear)
Wed May 28 12:31:43 2008
Message-ID: <1d1a54bf0805280930l38b182dcta6f5a7f844309f9f@mail.gmail.com>
Date: Wed, 28 May 2008 09:30:58 -0700
From: "David Bear" <David.Bear@asu.edu>
To: jaltman@secure-endpoints.com
In-Reply-To: <483D81FD.60206@secure-endpoints.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, May 28, 2008 at 9:02 AM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:
> David Bear wrote:
>
>> We have the challenge of supporting very mobile users who may hop between
>> many wireless networks. These machine are joined to an AD domain so when
>> they hop on to a wireless network, they are logged on using whatever
>> credentials windows has cached. This seems to cause an issue for KfW
>> and/or
>> Openafs. I am wondering of KfW handles the situation where it cannot
>> contact
>> a KDC becuase there is no network path available because windows hasn't
>> connected to any network. Can KfW be instructed to wait a certain time
>> period for trying to get a tgt? Or, can KfW wait for an event, like the
>> availability of a wireless network -- and then contact the kdc for
>> credentials?
>>
>> KFW does not cache the user's password. If the KDC is not reachable
> during logon, the user will not obtain credentials.
>
> The user can obtain credentials at a later time using Network Identity
> Manager. You can configure NetIdMgr to monitor network connectivity and
> prompt the user to obtain credentials if s/he has none.
>
>
> Then we should configured KfW to NOT get credentials at logon, and set it
to prompt for logon when the network becomes active? I think I found that
setting in NiM under options->general (uncheck obtain new credentials at
startup).
monitor network activity is also currently checked. I assume that is what
needs to be checked to have NiM prompt for logon when available?
--
David Bear
College of Public Programs at ASU
602-464-0424
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
