[36916] in Kerberos
Re: MIT Kerberos Client and MSLSA Cache
daemon@ATHENA.MIT.EDU (Meike Stone)
Wed Apr 22 12:57:23 2015
MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1504211638490.22210@multics.mit.edu>
Date: Wed, 22 Apr 2015 18:57:01 +0200
Message-ID: <CAFNHiA86Su9aUALPbpxm6AO2bo6+VVc6ZwuZ46aaqfjdq9yqrw@mail.gmail.com>
From: Meike Stone <meike.stone@googlemail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Benjamin,
thank you very much for great help!
Today I got running SAP SSO for W2k3 too!
> I would recommend making the API: cache the default and having SAP use
> that, if there is no external need for using the LSA cache. Getting
> things working properly with the LSA cache can be very frustrating, and
> the API: cache should be much simpler to set up.
Thats what I did!
Switched from MSLSA to MIT ccache AND using gssap32.dll from MIT!
The following and my wrong post in the other thread gave me the
enlightened hint!
> When using the KfW 4.0.x gssapi32.dll, there should not be a need to
> already have a TGT -- I believe the library can launch MIT Kerberos.exe
> and pop up a "Get Ticket" window.
Yes, that works all as described (but only with the MIT gssapi32.dll ;-)!
Problem was only the weak encryption (single-des) derived from former XP
clients in our AD-Domain (arrg)
I configured this in krb5.ini (allow_weak_crypto = true) and every
thing was working!
Thanks a lot,
Regards Meike!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
