1. Windows app RDP servers, so a client so to speak. MIT krb5.
2. Followed the instructions at MIT site for configuration of windows pass-thru
authentication (native ~LSA, see snip from "old" documentation below).
3. Yea, from reading I have done it seems that: it is what it is ;-(
<SNIP> A user is able to logon to Windows using the Kerberos LSA if the machine
is part of a Windows 2000 or Windows 2003 Active Directory domain or
if the machine has been configured to authenticate to a non-Microsoft KDC
such as MIT. The instructions for configuring a Windows 2000 XP
workstation to authenticate to a non-Microsoft KDC are documented
in TechNet somewhere. In brief:
Install the Windows 2000 or XP support tools in order to obtain the tools:
KSETUP.EXE and KTPASS.EXE.
Install the Windows 2000 or XP Resource Kit to obtain the tools
KERBTRAY.EXE and KLIST.EXE
Add Realms and associated KDCs with: KSETUP /AddKdc <realm> [<kdcname>].
If you leave off the <kdcname> DNS SRV records will be used.
Specify the password change service host for the realm with: KSETUP
/AddKpasswd <realm> <Kpwdhost>
Assign the realm of the local machine with: KSETUP /SetRealm <realm> where
realm must be all upper case.
Assign the local machine's password with: KSETUP /SetComputerPassword
<Password>
Specify the capabilities of the Realm KDC with: KSETUP /SetRealmFlags
<realm> <flag> [<flag> ...] where flags may be None, SendAddress, TcpSupported,
Delegate, or NcSupported,
Map principal names to local accounts with: KSETUP /MapUser <principal>
<account>
-----Original Message-----
From: Greg Hudson [mailto:ghud...@mit.edu]
Sent: Tuesday, March 08, 2016 12:34 PM
To: Sean Garrett <sean.garr...@asu.edu>; kerberos@mit.edu
Subject: Re: stale credential issue
On 03/08/2016 12:19 PM, Sean Garrett wrote:
> We run Kerberos 5
On a KDC, on clients, or on application servers? By Kerberos 5, do you mean
MIT krb5, and if so, what version?
> and occasionally we have some Windows boxes (2008r2, 2012...)
Are you using Kerberos for Windows on these clients, or just native Microsoft
Kerberos? If you're using the native Microsoft Kerberos, how are you getting
the clients to interoperate with an MIT krb5 KDC, if that's what you are doing?
> that appear to hang on to old credentials after you change your password.
In the Kerberos model, changing your password does not invalidate existing
tickets. However, if the Microsoft login system is saving the password and
using it to periodically get new tickets, a password change would obviously
interfere with that. I unfortunately don't know enough about the Microsoft
login system to know whether it does that or how it can be made to continue
working after a password change.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
