Terry Jones wrote:
I am pretty new to Kerberos so I may mess up the terminology.
Start with http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
This covers all the scenarios of using Kerberos with Windows.
We have had a couple of people attempt what I am describing below and we have failed so far. I just wanted to consult the group with the basic "is this possible" question first, then expand on to broader questions like "who has done it" and "how is it done"
We have a student lab of Windows XP computers and we want the students
to have to authenticate to use them. We have an MIT Kerberos KDC that
"knows" all the students but we do not want the MIT KDC to have to
know each and every XP workstation.
Kerberos uses a trusted third party KDC to authenticate the user to the machine. As such the KDC shares a secret with each user, and a secret with each machine. So some KDC in some realm will have to have the machine principals registered.
When you say login to the XP workstation, are the workstations part of a domain or standalone? If standalone, see the section "Using an MIT KDC with a Standalone Windows 2000 Workstation". This will require the users and workstations to be registered with the KDC.
If the workstations are part of a domain, then they are registered with the domain, and the users also need to be. Keep in mind that Kerberos does only authentication, whereas AD uses Kerberos for authentication, but it also does authorization, and users and workstations need accounts.
We would like to set up a Windows Server 2003 (or 2000 if that makes a difference) AD Domain Controller that the students log into, but we ant that AD Domain controller to contact the MIT KDC for authentication purposes.
See section "Setting Trust with a Kerberos Realm" and "Creating Account Mappings" This tells you how to have the user use the MIT KDC for authentication, but to authenticate to a matching AD account.
If we have to create explicit user accounts for each student in the
Windows Active Directory Domain we will, but if we could map them all
to a single account that would also be good.
Not sure if this is possible, but it looks like the "Security Identity Mapping" window will allow multiple mappings to the same account.
In other words, we are willing to let the MIT KDC talk to the Windows AD Domain Controller, not all the workstations. We want the XP workstations to contact the Windows Domain Controller and have the Windows Domain COntroller touch base with the MIT KDC to authenticate them.
Technically, the KDCs don't talk to each other. The user acquires tickets from the KDCs that are presented to the server. In this case the workstation working on behalf of the user would obtain a TGT ticket for the user from the user's realm, (MIT KDC) then use this against the user's realm to obtain a a cross realm TGT ticket to the AD realm of the workstation. It would the use this cross realm TGT to get a ticket for the workstation from the AD. At this point the AD would spot that the user principal was to be mapped to an AD account, and it would add the PAC authorization data to the service ticket. So when the service ticket was presented to the server (i.e. the workstation during login) it would have all the authentication and authorization data it needed to let the user login.
I have set up a Windows Server 2003 AD Domain controller, It is all working well from a DNS point of view. It is actually talking to the MIT KDC but so far all I have gotten is Windows error from the tickets returned when attempting a local login on the Windows Server and authenticating to the MIT KDC. I have not had ANY success logging into the Windows domain from an XP workstation... no traffic to the MIT KDC whatsoever...
Sounds like the account mapping is missing or the user needs to specify the full principal name [EMAIL PROTECTED] in the login prompt.
I welcome your general and detailed comments! Thanks.
Terry Jones ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
