Re: Authenticating Windows 2003 users to a central LDAP
- From: deengert@xxxxxxx ("Douglas E. Engert")
- Date: Fri, 23 Mar 2007 10:14:33 -0500
Ahmad Arshad wrote:
Hi Preetam,
Then let me rephrase the question a little...
We have two KDC servers with realm nyu.edu. Lets call them kerb1.nyu.edu
and kerb2.nyu.edu
my active directory is systems.private
I want this active directory authentication to authenticate off of these
kerberos servers... Its easy to do in unix and linux, but its killing me
to set it up so this windows 2003 r2 AD can authenticate its users off
of those kerberos servers.
Sounds like what you want is Kerberos authentication to your NYU.EDU,
with cross realm trust to the AD which has the windows services, and user
accounts. Thus a user account in the AD will be associated with a Kerberos
principal in NYU.EDU, and when a service ticket for a windows service is
needed AD will add in the PAC information for the account.
See
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
Setting Trust With a Kerberos Realm
Creating Account Mappings
Account mappings are used to map a foreign Kerberos identity (in a
trusted MIT Kerberos realm) to a local account identity in the domain.
These account mappings are managed through the Active Directory
Management tool.
These account mappings will allow the Kerberos realm to act as an
account domain. Users with Kerberos principals that have mappings to
domain accounts, can logon to a workstation that is joined to a trusted
domain using the Kerberos principal and password from the Kerberos realm.
Thanks
preetam R wrote:
Hi Ahmad,
FYI: The Domain Controller itself contains a LDAP
server.
Thanks,
Preetam
--- Ahmad Arshad <ahmad.arshad@xxxxxxx> wrote:
Hi,
I am not sure if this is the proper list for this...
but any help would
be appreciated...
We are running a Windows 2003 R2 server whose domain
is used for user
and workstation authentication for a portion of the
university
population. We wanted to tie this domain lets call
it systems.private
into the university wide ldap server lets call is
ldap.nyu.edu which
stores university wide usernames/passwords etc.
This way users who are part of the domain (remember
we only want users
who are part of the domain to have access) would be
able to login to the
domain.. using their IDs and passwords provided by
the university.
I am not sure if this makes any sense...
so to recap
a) User tries to log into the domain with his id and
password.
b) The domain controller checks to see if the user
id is in its database.
c) if it is, it forwards the credential to the ldap
server for
authentication.
d) if the ldap authenticates, the user is allowed to
login...
Any help would be greatly appreciated..
Sincerely,
Ahmad S Arshad
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- References:
- Re: Authenticating Windows 2003 users to a central LDAP
- From: preetam R
- Re: Authenticating Windows 2003 users to a central LDAP
- From: Ahmad Arshad
- Re: Authenticating Windows 2003 users to a central LDAP
- Prev by Date: Re: krb5kdc cannot dissociate from tty
- Next by Date: Re: krb5kdc cannot dissociate from tty
- Previous by thread: Re: Authenticating Windows 2003 users to a central LDAP
- Next by thread: mod_auth_kerb credential error for principal
- Index(es):
Relevant Pages
|
