[30145] in Kerberos
Creating an MIT style keytab for an existing Windows AD member
daemon@ATHENA.MIT.EDU (Edward Irvine)
Wed Jul 23 04:00:18 2008
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au>
To: kerberos@mit.edu
From: Edward Irvine <eirvine@tpg.com.au>
Date: Wed, 23 Jul 2008 17:59:17 +1000
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'd like to find out if there is any way to extract a HOST keytab for
a windows computer that is already a member of an active directory
domain.
A Java developer I look after wants to do the single sign on thing to
his web application. Our environment is a mixed Active Directory and
Solaris environment.
By creating a new user in active directory, and mapping the user to a
service principle using ktpass.exe, we now have SPNEGO single sign on
working between the clients Internet Explorer and the JBoss server on
*Solaris*. So far so good.
The developer, who uses a Windows workstation that is part the Active
Directory domain, now wants the SPNEGO authentication to work in his
own windows workstation - and for that to work I need to get the
keytab for the host/pingname.of.host@KERBEROS.REALM.NAME
A quick LDAP lookup of his workstation in AD reveals that it already
has a servicePrincipalName of HOST/pingname.of.host - so presumably I
can extract the keytab somehow. But how?
I don't personally have admin access to the AD domain, but I work
with the folks who do.
Eddie
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
