Using kerberos w/o binding to active directory

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: David Carlin (dcarlin3_at_yahoo.com)
Date: 02/16/05 

Date: Wed, 16 Feb 2005 01:42:25 -0500

I have a file server on the campus active directory that contains the
home directories for all the users of campus computer lab. I would like
for students to be able to connect to a share and access their files
from their dorm PCs not on the active directory. The complication here
is since their dorm PCs are not bound to the active directory, they are
not using Kerberos for authentication. I'd like to come up with a set
of instructions so they can get a Kerberos ticket and connect to the
share, but I don't have a strong Kerberos background.

I have been able to do this on a mac by setting up an appropriate
/Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and
using the /System/Library/CoreServices/Kerberos application to get a
ticket. Once this happens, the Mac user is able to connect to the share
and see their files. This at least leads me to believe what I want to
accomplish is possible.

Berkeley has a set of instructions for their students to do this. Their
AD also uses Kerberos for authentication:

http://calnetad.berkeley.edu/documentation/interoperability/#item1

It seems to have the students install a .reg file which has the same
effect as running the neccessary ksetup.exe commands. I have tried
using this method to no avail - creating an analogous registry file by
copying those keys from a working machine on the active directory.

The difference in the event logs on the server side between the failed
windows connections and the successful MacOS 10.3 ones are this:

Successful Network Logon:
   User Name: djc6
   Domain: ADS
   Logon ID: (0x0,0x64EC9)
   Logon Type: 3
   Logon Process: Kerberos
   Authentication Package: Kerberos

Login Failures all show:
   Logon Process: NtLmSsp
   Authentication Package: NTLM

So it seems I am missing something fundamental where the windows clients
aren't even trying to use Kerberos for authentication.

Anyone have any ideas?

   -David

Relevant Pages

  • Re: Kerberos machine authentication - apparent authentication fail
    ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... Subsequent Netdiag attempts after a reboot show the failed Kerberos ... >>> mean that kerberos authentication is not being used. ... >>> computer for logon events and the domain controller for account logon ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Authentication with SQL
    ... On the IIS level there is no trouble authenticating with kerberos. ... problem is in when I try to flow those credentials over to the SQL server. ... Successful Network Logon: ... Authentication Package: Kerberos ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... Kerberos result when I hardwired a laptop to a switch port. ... to authenticate with K on reboot AND authentication appears to take place ... > denied access until you can authenticate to a domain controller as a user. ... > You should have logging of account logon events enabled in Domain Controller ...
    (microsoft.public.windows.server.security)
  • Microsoft Active Directory security vulnerability
    ... Kerberos V (for information on Kerberos interoperability see ... return results from the Active Directory. ... My guess is that Microsoft does not check for a zero value ... nor did I test it with simple authentication. ...
    (Bugtraq)