Hi Renyao, I've played around with that several years (and Windows Versions) ago, but still there should be two ways to go there:
A) The Windows Client is not joined to a AD or you want to map the MIT user to a local user on every single machine. because the users (or representations of the same persons) dont't exist in AD. This is done by a local mapping in the registry, done by the ksetup /mapuser command. Try ksetup /? and ksetup /mapuser /? to find out the details B) The Windows Client is part of a AD, and you have a representation to every MIT user in the AD, ideally user with the same name like ren...@mitrealm.mydomain.com <=> ren...@msad.mydomain.com <=> MSAD\renyao Then you have to add a Kerberos Trust (AD Trusts MIT) between MITREALM.MYDOMAIN.COM and MSAD.MYDOMAIN.COM and you have to do the mapping to the user accounts: The AD user renyao needs the attribute "altSecurityIdentities" set/appended to/by "Kerberos:ren...@mitrealm.mydomain.com" Can be done by GUI (ADUC) with rigtclick on User -> all Tasks -> Name Mappings -> Kerberos Names -> Add ren...@mitrealm.mydomain.com In Addition the Clients and the AD Controllers have to learn about the Trust (and the KDCs, if not done in DNS), either by local configuration (ksetup /addkdc and ksetup /hosttorealm) or by GPO (Policies -> Administrative Templates -> System -> Kerberos -> "Define host name-to-Kerberos realm mappings" "Define interoperable Kerberos V5 realm settings"). Robert. Am 24.01.2017 um 21:09 schrieb Renyao Wei: > Hi, > > Does anyone know how to allow Windows machines to authenticate against a MIT > Kerberos KDC during Winlogon? My understanding is that there are some trusts > to be setup between Active Directory and MIT KDC. But internet does not offer > much more than that. > > > Best, > Renyao > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
