MIT kdc with Windows 7 pc
Jean-Yves Avenard
I have tried to configure a Windows 7 machine to use our kerberos
realm. The KDC is MIT krb5 1.7.1.
When I try to login using my kerberos principal ; I get an error that
there are no logon server available.
In the Windows 7 logs, I see the error:
"The digitally signed Privilege Attribute Certificate (PAC) that
contains the authorization information for client jeanyves_avenard in
realm M.DOMAIN.COM could not be validated.
This error is usually caused by domain trust failures; please contact
your system administrator."
In the kdc logs, I can see that something is authenticating. Passwords
seem okay as if I type an incorrect password for my username, i get an
error about the password being incorrect.
Once I enter the right password, I get the error above.
I read http://www.faqs.org/faqs/kerberos-faq/general/ and about the
PAC microsoft put in. But it's a 10 years old article, not sure how
relevant it is today.
Am I to understand that it is not currently possible to authenticate
on a windows machine using a MIT kerberos KDC ? It would be a good
windows domain replacement
Kerberos from Windows seem to work fine, and I could use the
credential with Firefox.
And comments on the matter?
Thank you
JY
Christopher D. Clausen
> Am I to understand that it is not currently possible to authenticate
> on a windows machine using a MIT kerberos KDC ? It would be a good
> windows domain replacement
I sort-of have this working, although this is probably different than your
setup.
UIUC.EDU is an MIT Kerberos realm. Our Windows domain, AD.UIUC.EDU has a
trust with UIUC.EDU and we have the proper altSecurityIdentifier field
configured on the user accounts within Active Directory.
I had to allow single DES for the Windows 7 computer as Windows trusts from
AD to non-Windows KDCs were single DES only at the time our trust was setup:
The Configure encryption types allowed for Kerberos policy setting is
located in Computer Configuration\Security Settings\Local Policies\Security
Options. (I think this is in secpol.msc.)
Once single DES was enabled, I ran the appropriate ksetup /addkdc commands
and I can now login using my ccla...@UIUC.EDU Kerberos principal on a
computer joined to AD.UIUC.EDU.
-----
If you are attempting this on a stand-alone computer not also joined to a
Windows domain, I believe that Windows 7 REQUIRES having computer password
set to the same service principal password on the KDC side for the computer
to be able to authenticate the KDC itself. Windows XP did not have this
requirement.
<<CDC
Wilper, Ross A
This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
-Ross
-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of Jean-Yves Avenard
Sent: Tuesday, September 21, 2010 11:56 AM
To: kerb...@mit.edu
Subject: MIT kdc with Windows 7 pc
Hi there.
I have tried to configure a Windows 7 machine to use our kerberos
realm. The KDC is MIT krb5 1.7.1.
When I try to login using my kerberos principal ; I get an error that
there are no logon server available.
In the Windows 7 logs, I see the error:
"The digitally signed Privilege Attribute Certificate (PAC) that
contains the authorization information for client jeanyves_avenard in
realm M.DOMAIN.COM could not be validated.
This error is usually caused by domain trust failures; please contact
your system administrator."
In the kdc logs, I can see that something is authenticating. Passwords
seem okay as if I type an incorrect password for my username, i get an
error about the password being incorrect.
Once I enter the right password, I get the error above.
I read http://www.faqs.org/faqs/kerberos-faq/general/ and about the
PAC microsoft put in. But it's a 10 years old article, not sure how
relevant it is today.
Am I to understand that it is not currently possible to authenticate
on a windows machine using a MIT kerberos KDC ? It would be a good
windows domain replacement
Kerberos from Windows seem to work fine, and I could use the
credential with Firefox.
And comments on the matter?
Thank you
JY
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Jean-Yves Avenard
On 22 September 2010 05:39, Wilper, Ross A <rwi...@stanford.edu> wrote:
> You must have the external (MIT) principal mapped to a Windows user for logon to succeed.
Pretty sure I did that:
I ran the command
ksetup /mapuser user...@M.DOMAIN.COM username
>
> This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser"
>
> Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled).
>
The principal was created using:
ank -pw password -e rc4-hmac:normal host/minimepc.m.domain.com
For all account it seemed to work properly, by that I mean I see no
authentication error in the kdc logs.
Do the DES encryption types need to be enabled even for Windows 7 ?
I did see:
Sep 22 05:43:06 m.domain.com krb5kdc[68](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.X.X: NEEDED_PREAUTH:
jeanyves...@M.DOMAIN.COM for krbtgt/M.DOMA...@M.DOMAIN.COM,
Additional pre-authentication required
followed by proper authentication after, no password errors.
Wilper, Ross A
If you have created the principal for the Windows machine and set the password in the Windows machine, then mapped the user's principal to a local account, then you are past what I have done for a Windows machine in a workgroup.
You do not have to turn on the DES encryption types in Windows 7 as long as at least one of the stronger enctypes is available on the principals. It looks like you set up the host with RC4, so I would not enable DES.
-Ross