Hello Benjamin, 2015-04-17 22:18 GMT+02:00 Benjamin Kaduk <ka...@mit.edu>: > On Fri, 17 Apr 2015, Meike Stone wrote: > >> Hello dear list, >> >> I have Windows 7 workstations, not joined to a AD Domain. >> I like to use MIT Kerberos client to authenticate to a Kerberos server >> and run several programs using Kerberos to authenticate. >> The MIT client is installed and running, I get a krbtgt and if I use >> Firefox with network.auth.use-sspi=false, Firefox uses Kerberos as >> well. >> >> But my problem are applications that using only the MSLSA Kerberos >> cache (for example SAP-GUI via gsskrb5.dll) (SSPI) > > SAP-GUI will use gssapi32.dll just fine, for what it's worth (we use it > that way at MIT). > >> Is is possible, to configure the MIT-Kerberos client to use this cache (too)? > > It is possible to configure MIT Kerberos to use that cache, though it is > not very well exposed in the GUI at the moment. You can set > HKCU\Software\MIT\Kerberos5\ccname to "MSLSA:" in the registry to make it > the default, or explicitly run kinit.exe -c MSLSA: <principal> from > cmd.exe to just get a ticket. (Once you have a ticket, the "make default" > button will set the registry entry for you.)
That works absolutely fine! Thanks :-D > > However, with the currently released versions, if you have UAC enabled, > the non-SSPI clients will not work. If you do not have UAC enabled, they > will not work very well (they will wait for some DNS timeouts) unless you > set > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\REALM.NAME\KdcNames > to a multi-string entry with the DNS names of the KDCs for the realm's > KDCs. I've seen this before, that's what Microsoft does if ksetup.exe is invoked! But on a test PC, I dropped that configuration and it works as well, no (appreciable) timeout seen, but I haven't sniffed. I'll digging deeper soon! > > There are several improvements on master that have not made it into a > release yet; I hope to put out a KfW 4.1 release in the next couple of > months which includes them. What improvements? > >> Using ksetup and logon to the kerberos real works, but I don't can >> make that deep changes on the Windows workstations (e.g. ne >> userprofile, etc ....). > > I'm not sure I understand this paragraph. I mean the using of Microsofts Kerberos Client (W7 included / W2k3 in support tools), configured by ksetup.exe - Installation without MIT-Kerberos Client! That solution is working as well, but the user must logon to the Kerberos "domain" and the user gets a new profile! Microsofts "kinit" is only invoked during the logon process. > >> Main cause it to get running the SAP-GUI, using Kerberos to authenticate! >> Mayby someone has an idea to get this running on a simple workstation >> without domain or Kerberos membership. > > I am surprised that it is not working; maybe the version of SAP GUI that > MIT distributes internally has some custom config in place. In any case, > you should be able to set SNC_LIB to point to the gssapi32.dll library and > avoid the MSLSA: cache. Yes, now It works - Thanks! But one question. I tried the same on Windows 2003, But it didn't work. We have a few stand alone Terminal servers, managed from other departments (same with the Windows 7 PC's) Is it possible to do that with Windows 2003 too - would be very nice! Thanks Meike ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
