Hi Jeffray Thanks for you detailed answer. Questions below.
Am Freitag, 12. Dezember 2014 schrieb Jeffrey Altman: > On 12/5/2014 1:31 PM, Dr. Hendrik Naumann wrote: > > Hi > > > > I am looking for a way to setup the Integrated Logon in such a > > way, that the aquired AFS Tokens can be renewed. > > > >[...] > > > > Is there any way to get access to the Kerberos Tickets from the > > integrated logon? Under Linux Kerberos can be configured to store > > its Tickets in a file und thus the TGT and also the Token can be > > renewed later. > > The AFS Integrated Logon functionality is implemented as a WinLogon > Authentication Provider function. The purpose of this function is > to obtain credentials necessary for the logon process to access > the user's profile data that might be stored in a remote file > system. This function is called before the creation of the logon > session. Credentials obtained in the Authentication Provider can > be injected into the AFS Authentication Group (my Windows variant > of PAGs on UNIX) that will be inherited by the logon session. > However, there is no place to store the Kerberos TGT that was > obtained. > > Prior to Windows Vista there were two other hook functions that > would be executed within the logon session. One when the desktop > shell started and the other when it shutdown. These functions ran > with elevated permissions so in XP I used them to permit WinLogon > to write the Kerberos TGT to a protected file and then extract it > and store the contents into the logon session credential cache. > This trick no longer works. Microsoft removed the hooks because > their presence was an exploitable security hole. Some months ago were still using OpenAFS 1.7.21, and the MIT Kerberos 3.2.2 together with the old Network Identity Manager on Windows7 32bit. In this setup we never had the problem of run out AFS Tokens. How does that fit into the picture? Because we change the session encryption on the servers we had to upgrade to higher than 1.7.26 and in that process we also upgraded the whole kerberos stack. > If the TGT obtained by Integrated Logon is for the same Kerberos > principal that will later be found in the MSLSA: credential cache, > then all that is required for NIM to obtain a new AFS token is to > configure the data for your cell in NIM. If the AFS token is > obtained using a different Kerberos principal, then your users > must enter the password again when the initial token expires. This is very ugly, because normal users don't want to be bothered with details like that and thus tend to forget it or just cancel unkown dialogs. Especially dialogs asking for the password, which is actually a good thing. Your users are a very heterogeniuos and international group of scientists focust to there projects. Some of them even don't speak good english, nor german. Thus it is very hard for us the get though with this kind of information. Is there any chance to implement a feature that the TGT ist just stored to some file, that later can be importet by the NIM, by a logon script? Thanks Hendrik Naumann -- Dr. Hendrik Naumann Technische Universität Berlin Institut für Chemie, Sekr. C3 Leiter EDV Chemie Strasse des 17. Juni 115 10623 Berlin Tel.: +49 30 314 29892 Mobil: +49 172 314 0410 Fax: +49 30 314 29309 WWW: http://www.chemie.tu-berlin.de/it E-Mail: [email protected]
signature.asc
Description: This is a digitally signed message part.
