IIS and other Windows SSPI based applications will only use credentials that are obtained via the Microsoft logon screen. You cannot use MIT KfW to obtain a TGT for those applications. In other words, you must log onto the machine with the domain account and not a local account if you wish to use IE.
Your other option is to start IE using "RunAs <domainAcct>" and issue your username/password for the domain account each time you start IE. Jeffrey Altman Schreiter,Jonathan M. wrote: > Hello, > I currently have an AD 2003 environment that serves as a Kerberos server. > Normally, with a standard Windows XP / Vista client (that is joined to the > domain), when I login with a domain account I get a TGT for the AD domain / > realm. This TGT is then used to get tickets for various other services that > require Kerberos. When I run a klist from the MIT tools installed on this > client, I show my ticket cache: MSLSA. > > I need to log in with a local account on this same computer (still joined to > the domain). I'd like to be able via command line to enter in my AD > credentials to acquire a tgt just as if I was a login from the original > CTRL+ALT+DEL screen. > > Also, MYDOMAIN.COM = MYREALM.COM > > After logging in locally, I tried to do a simple kinit [email protected] > and it took the password. However, if I use Internet Explorer to go to an > IIS server that requires kerberos authentication, I am still prompted for my > username and password. > > I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 > Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner > Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos > Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's > supposed to go here). > > I then entered my kerberos authentication in to the GUI and it took my > password. However, it still doesn't see the tgt in the MSLSA (if I try to > use a klist from the Windows NT Resource Kit). If I run klist from > c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found > (ticket cache API:[email protected]. Also, If I try to run IE to hit an > IIS web server requiring Kerberos, it still prompts me for my credentials. > > I think I'm almost there - but can someone help me connect the pieces? > Again, I would like to log in to a windows xp / vista computer, enter a > username and password to obtain a tgt in the mslsa, so that IE can hit an IIS > server that requires kerberos w/o typing in the password again. > > Any help would be GREATLY appreciated. > > Many thanks, > Jonathan > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
