Child pages
  • Windows 7 Kerberos Login using External Kerberos KDC
Skip to end of metadata
Go to start of metadata

Windows 7 Kerberos Login using External Kerberos KDC

Tools:

    Ksetup: Configures Kerberos realms, KDCs, and Kpasswd servers.

    Ktpass: Sets the password, account name mappings, and keytab generation for Kerberos services that use the Windows 2008 Kerberos KDC.

Windows 7 Client:

   Run the Ksetup utility to configure the Kerberos KDC server and realm.

    1) Create a host princpal for the computer in the Kerberos realm.  Use Kerberos utility kadmin.  Remember password used.
    2) Commandline (as administrator):

    C:> Ksetup /setdomain NCSA.EDU

      
## This is suggested in the documentation for Windows Server 2002,  this will drop the computer out of the ad.ncsa.edu domain.
      
## I have found that this also removes access to ad.ncsa.edu services and allocations.  With Windows 2008 server, I have elimited this step.
      
## Eliminating this allows access to ad.ncsa.edu services and allocations. It also allows access to the computer using the Windows Domain authentication (login).



   The client mapping allows NCSA.EDU{}ncsauser and ad.ncsa.edu{}ncsauser access to the same User account

     Add external KDCs

           C:> Ksetup /addkdc NCSA.EDU kerberos.ncsa.uiuc.edu

           C:> Ksetup /addkdc NCSA.EDU kerberos-1.ncsa.uiuc.edu

           C:> Ksetup /addkdc NCSA.EDU kerberos-2.ncsa.uiuc.edu

     Add computer password - same as password used for creating the computer in the Kerberos realm.

           C:> Ksetup /setcomputerpassword password

     Restart your computer for the changes to take effect.

    Configure Single Sign On

       Maps clients to their domain account on computer.

           C:> Ksetup /mapuser ncsauser@NCSA.EDU ncsauser

      Map clients to local accounts of the same name.

          C:> Ksetup /mapuser * *

     View Kerberos Settings

         C:> Ksetup

  • No labels