Tom's Guide > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Using kerberos w/o binding to active directory

Using kerberos w/o binding to active directory

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Using kerberos w/o binding to active directory

TomsGuide.com: Over 800,000 questions and answers to address all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   02-16-2005 at 07:42:25 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

I have a file server on the campus active directory that contains the
home directories for all the users of campus computer lab. I would like
for students to be able to connect to a share and access their files
from their dorm PCs not on the active directory. The complication here
is since their dorm PCs are not bound to the active directory, they are
not using Kerberos for authentication. I'd like to come up with a set
of instructions so they can get a Kerberos ticket and connect to the
share, but I don't have a strong Kerberos background.

I have been able to do this on a mac by setting up an appropriate
/Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and
using the /System/Library/CoreServices/Kerberos application to get a
ticket. Once this happens, the Mac user is able to connect to the share
and see their files. This at least leads me to believe what I want to
accomplish is possible.

Berkeley has a set of instructions for their students to do this. Their
AD also uses Kerberos for authentication:

http://calnetad.berkeley.edu/docum [...] ity/#item1

It seems to have the students install a .reg file which has the same
effect as running the neccessary ksetup.exe commands. I have tried
using this method to no avail - creating an analogous registry file by
copying those keys from a working machine on the active directory.

The difference in the event logs on the server side between the failed
windows connections and the successful MacOS 10.3 ones are this:

Successful Network Logon:
User Name: djc6
Domain: ADS
Logon ID: (0x0,0x64EC9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

Login Failures all show:
Logon Process: NtLmSsp
Authentication Package: NTLM

So it seems I am missing something fundamental where the windows clients
aren't even trying to use Kerberos for authentication.

Anyone have any ideas?

-David

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   02-21-2005 at 04:39:39 PM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

I am not really sure how this pertains to Active Directory.......

You might be better served in another newsgroup or forum.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"David Carlin" <dcarlin3@yahoo.com> wrote in message
news:dcarlin3-20C325.01422516022005@eeyore.ins.cwru.edu...
>I have a file server on the campus active directory that contains the
> home directories for all the users of campus computer lab. I would like
> for students to be able to connect to a share and access their files
> from their dorm PCs not on the active directory. The complication here
> is since their dorm PCs are not bound to the active directory, they are
> not using Kerberos for authentication. I'd like to come up with a set
> of instructions so they can get a Kerberos ticket and connect to the
> share, but I don't have a strong Kerberos background.
>
> I have been able to do this on a mac by setting up an appropriate
> /Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and
> using the /System/Library/CoreServices/Kerberos application to get a
> ticket. Once this happens, the Mac user is able to connect to the share
> and see their files. This at least leads me to believe what I want to
> accomplish is possible.
>
> Berkeley has a set of instructions for their students to do this. Their
> AD also uses Kerberos for authentication:
>
> http://calnetad.berkeley.edu/docum [...] ity/#item1
>
> It seems to have the students install a .reg file which has the same
> effect as running the neccessary ksetup.exe commands. I have tried
> using this method to no avail - creating an analogous registry file by
> copying those keys from a working machine on the active directory.
>
> The difference in the event logs on the server side between the failed
> windows connections and the successful MacOS 10.3 ones are this:
>
> Successful Network Logon:
> User Name: djc6
> Domain: ADS
> Logon ID: (0x0,0x64EC9)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
>
> Login Failures all show:
> Logon Process: NtLmSsp
> Authentication Package: NTLM
>
> So it seems I am missing something fundamental where the windows clients
> aren't even trying to use Kerberos for authentication.
>
> Anyone have any ideas?
>
> -David

Reply to Anonymous
Ask the community Add a reply
Tom's Guide > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Using kerberos w/o binding to active directory
Go to:

There are 10 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.249 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Google ads