Re: AW: Proof of authenticity of TGT
On Aug 23, 2006, at 3:43, Olfmatic wrote:
I understand your warnings. But it is not possible to add the
service to the realm, because it is running on a host that is not
in the same windows domain and not in the same kerberos realm. To
be more precise, it is not running in a kerberos realm at all and
thus is not really a kerberos service.
If you already have the ability to modify the application client and
server code to send and verify the TGT, then the only thing
preventing you from doing the same with a normal service ticket would
be your KDC. In which case, you're not talking about the MIT KDC,
and then I can't help you with getting the TGT key out.
But I'd be really surprised if a Windows KDC couldn't be convinced to
add an arbitrary service principal somehow. (But since I don't play
around with Windows KDCs much, I couldn't tell you how to do it
without doing all the same Google searches that you'd expect to have
to do.)
Ken
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
Relevant Pages
- Re: Kerberos authentication NOT in AD
... Windows supports Unix Kerberos realms natively. ... realm user, but it's pretty easy to script such a thing or get fancy and use ... from the folks that manage the Kerberos realm, ... so I'm not doing any authentication as of yet (I've ...
(microsoft.public.dotnet.security) - Re: cross-realm authentication problem
... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
(comp.protocols.kerberos) - Re: Cross Realm MIT <-> Active Directory
... Now why can't user XYZ@xxxxxxxx login successfully with his Windows ... I meant on the Unix box, not on the Windows box, so sorry on that. ... user xyz can login to your Unix machine. ... Host and service principals are defined in MIT Kerberos (realm ...
(comp.protocols.kerberos) - Re: cross-realm authentication problem
... MIT Kerberos realm. ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
(comp.protocols.kerberos) - Re: Windows Server Referral Problem
... EN> Markus I have a request out to Microsoft to get more information ... When Windows ... and returns a referral to the specified realm if there's a match. ... EN> I have a problem with server referrals in my Windows environment. ...
(comp.protocols.kerberos) |
|
