Hello,
I currently have an AD 2003 environment that serves as a Kerberos server.  
Normally, with a standard Windows XP / Vista client (that is joined to the 
domain), when I login with a domain account I get a TGT for the AD domain / 
realm.  This TGT is then used to get tickets for various other services that 
require Kerberos.  When I run a klist from the MIT tools installed on this 
client, I show my ticket cache: MSLSA.
 
I need to log in with a local account on this same computer (still joined to 
the domain).  I'd like to be able via command line to enter in my AD 
credentials to acquire a tgt just as if I was a login from the original 
CTRL+ALT+DEL screen.
 
Also, MYDOMAIN.COM = MYREALM.COM
 
After logging in locally, I tried to do a simple kinit [email protected] and 
it took the password.  However, if I use Internet Explorer to go to an IIS 
server that requires kerberos authentication, I am still prompted for my 
username and password.
 
I then drilled in to the GUI Network Identity Manager.  Under Kerberos v5 
Credential Cache I have Include Windows LSA cache (MSLSA:) checked.  Uner 
Realms I added a new realm MYDOMAIN.COM.  I added an AD DC for the Kerberos 
Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's 
supposed to go here).
 
I then entered my kerberos authentication in to the GUI and it took my 
password.  However, it still doesn't see the tgt in the MSLSA (if I try to use 
a klist from the Windows NT Resource Kit).  If I run klist from c:\Program 
Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache 
API:[email protected].  Also, If I try to run IE to hit an IIS web server 
requiring Kerberos, it still prompts me for my credentials.
 
I think I'm almost there - but can someone help me connect the pieces?  Again, 
I would like to log in to a windows xp / vista computer, enter a username and 
password to obtain a tgt in the mslsa, so that IE can hit an IIS server that 
requires kerberos w/o typing in the password again.
 
Any help would be GREATLY appreciated.
 
Many thanks,
Jonathan
 
 

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to