http://kerberos.996246.n3.nabble.com/Creating-a-keytab-with-ktpass-under-a-Computer-account-td14074.html
I followed above link to create a computer account on Windows server and generate keytab to be used for first kinit. It doesn't seem to work. Have I employed wrong procedure or was this expected? -------------- Faisal Ali On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwil...@slac.stanford.edu> wrote: > I would be interested to see if you can make this work. It's been a while > since I've looked into this and did not get very far. > > It sounds like you are on the right path - one of the gotchas is that AD > does not seem to support pkinit null, which is what many Kerberos > implementations do to create the armor. What Windows machines do is to use > the computer account as the armor for the user account logon. This may > actually be a requirement (that the armor be a computer account) because > the AD KDC wants to have both involved in the logon interaction so as to > generate computer and user claims into the resulting ticket. I hope that I > am wrong on that. > > -Ross > > -----Original Message----- > From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On > Behalf Of Faisal Ali > Sent: Monday, February 9, 2015 5:55 AM > To: kerberos@mit.edu > Subject: Establish FAST encrypted channel between linux client and windows > server > > I am trying to setup windows server for FAST encrypted channel support to > test OTP pre authentication in kerberos. > > I have already tested on linux machine by deploying KDC using krb5-1.12.1 > source code, freeradius server and using keytab of service principal to > receive armor ccache to be used to establish FAST encrypted channel between > client and KDC. > > I have setup windows server 2012 for kerberos, and added support for "KDC > support for claims, compound authentication and Kerberos armoring" policy > on it. I can receive TGT for service principal. But, when I execute the > command "kinit -T <armor-cache> <principal>", KDC does not reply with any > padata and no FAST encrypted channel is established (observed through > wireshark log and Kerberos library logs). > > Is it possible to establish a FAST encrypted channel between linux client > and Windows AD? Have I missed any setting? > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
