Thanks Doug and Jeff. I'm not sure the runas will work in the problem I'm trying to solve, but maybe I'm wrong. I have an application that when you click on a button it will spawn an IE window, and there are multiple buttons that link to different URLs (each URL corresponds to an IIS server with Kerberos authentication). During nominal operations, multiple IE windows will be open on a same machine, and new windows will be closed and opened multiple times per day. I guess I could spawn a cmd window from the button, but I'm not sure how to automatically spawn multiple iexplore.exe from this cmd window from an external application.
The second part of the problem, is that I'll have multiple computers that fit this category - so I was hoping to use a keytab dump after getting the tgt to copy files to the other computers for a SSO. If anyone has any thoughts, I'd appreciate it. I'm going to take a look at some PKI options here in the meantime. Many thanks, Jonathan -----Original Message----- From: Douglas E. Engert [mailto:[email protected]] Sent: Monday, May 11, 2009 10:25 AM To: Schreiter,Jonathan M. Cc: [email protected] Subject: Re: Active Directory Kerberos Server and Windows MIT Tools Client In addition to what Jeff proposed, you can use the runas command with other commands. cmd.exe is one, as it then gives you a command window to start other commands, including explorer or iexplorer, so you only have to enter the user/password once. The runas.exe /netonly can also be used on machines not joined to the domain, to get credentials from the domain, usable on the network. Also see: http://support.microsoft.com/kb/225035 "Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context" And to get explorer to run also see: http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx "How do you set the "separate process" flag, then?" "How do I tell my admin windows from my normal windows?" Schreiter,Jonathan M. wrote: > Hello, > I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. > > I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. > > Also, MYDOMAIN.COM = MYREALM.COM > > After logging in locally, I tried to do a simple kinit [email protected] and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. > > I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). > > I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:[email protected]. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. > > I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. > > Any help would be GREATLY appreciated. > > Many thanks, > Jonathan > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
