On 5/4/2010 4:24 PM, Justin Brinegar wrote: > I'm having some problems getting Network Identity Manager/KFW to obtain > tickets in a foreign kerberos realm at logon - details are below. I've > got this to work on one machine, but I can't replicate it on another.
You can obtain extensive log data from NIM by turning on the logging via the Options->General page. > > The setup: > > wedge is in atestdomain.physics.unc.edu, 32 bit Windows 7, UAC off. > Logging on with WEDGE\brinegar gets me a MITKERB.UNC.EDU tgt (the > passwords match). Works as expected. WEDGE\brinegar is an admin. I > have next to no GPOs set on this machine and I control atestdomain. No > trust relationships are involved. > > screw is in adproduction.unc.edu, 64 bit Windows 7, UAC off. Logging on > with ADPRODUCTION\brinegar gets me an ADPRODUCTION.UNC.EDU tgt (though > it does not with UAC ON, or at least I can't see it in NIM), If you are relying on the MSLSA: cache exporting the TGT, this cannot work if the account is a member of the Administrators group and UAC is active. Access to the TGT permits an end run around UAC mode. > but I'm > expecting to get a MITKERB.UNC.EDU tgt as well (the passwords match), TGT acquisition at logon is not performed by NIM. It is performed by the kfwlogon.dll network provider. > since I have configured NIM exactly the same as wedge above. I > experience the same symptom when I log on with a local account > SCREW\brinegar. > > What would cause me to not get the MITKERB.UNC.EDU ticket on screw? The > krb5.ini files for the machines are the same, each can resolve the > proper KDCs. I have installed KFW 32/64 and NIMv2 32/64 - the 64bit > netidmgr.exe launches upon logon with screw. Once I get the ticket on > logon, I'll use it to get tokens for two AFS cells automatically (works > fine on wedge). AFS token acquisition at logon is performed using the afslogon.dll network provider and is independent of the kfwlogon.dll. It gets its own Kerberos TGT and uses its per domain configuration for deciding what realm to obtain a TGT from and which cells to obtain tokens for. > KFW - 3.2.2 > NIM - 2.0.0.304 > screw/AFS - 1.5.7400 > wedge/AFS - 1.5.7200 > > I'm in communication with the Domain Admin for adproduction.unc.edu, but > I wanted to check with the community. > > Any cookbook recipes or ideas are welcome. > > Justin I think you need to start off by explaining what you are trying to accomplish . Do you want a TGT acquiring during the logon process or do you want NIM to import a TGT from the Microsoft LSA cache and then do something with it? Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
