[37791] in Kerberos
Re: Can I automatically cache AD tickets into a file on windows?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Sun Nov 20 16:13:32 2016
Date: Sun, 20 Nov 2016 15:13:12 -0600
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Mauro Cazzari <Mauro.Cazzari@sas.com>
Message-ID: <20161120211248.GZ86797@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <051b3c09d14c4e80a2159b7fc3045aa1@MERCMBX45R.na.SAS.com>
Cc: "Kerberos@mit.edu" <kerberos@MIT.EDU>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Fri, Nov 18, 2016 at 04:51:03PM +0000, Mauro Cazzari wrote:
> One more thing: if MIT Kerberos is installed, is there a way to populate the KRB5CCNAME cache file automatically when I log on to Windows without having to use a keytab or having to run a kinit under the covers?
MIT KfW does include a utility "ms2mit.exe" that attempts to export kerberos
credentials from the Windows LSA to a KfW credentials cache (which by default
will be an API: cache but can be configured to be a FILE: cache). However,
those attempts will fail in some situations, such as when the user is a
local administrator, on recent versions of Windows. Some sites have run
ms2mit during the login process to get that sort of behavior; however, in
the KfW 4.1 series, the LSA: support is improved and it may be feasible
to just use the LSA: cache directly.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
