Re: support SSO in Windows with Keberos TGT - Kerberos

This is a discussion on Re: support SSO in Windows with Keberos TGT - Kerberos ; >> Hi, >> >> >> Using Mit Kerberos how can I support SSO? >You can obtain your tickets during the windows logon process from your >domain controller and then access them from KFW aware applications by >setting the default ccache ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Re: support SSO in Windows with Keberos TGT

  1. Re: support SSO in Windows with Keberos TGT

    >> Hi,
    >>
    >>
    >> Using Mit Kerberos how can I support SSO?


    >You can obtain your tickets during the windows logon process from your
    >domain controller and then access them from KFW aware applications by
    >setting the default ccache to MSLSA: or by permitting Network Identity
    >Manager to synchronize the MSLSA: cache contents with an API: cache.
    >>




    >> Is it possible to update Microsoft cache? How can I make other kerberised
    >> application to use cache file which is generated by my application.


    >On Vista the MSLSA: cache is read-write provided you do not use the
    >binaries provided by MIT.
    >KFW 3.2.2 was built incorrectly and the MIT distribution treats the
    >Vista MSLSA: cache as read-only.


    I want to update/add my credentials to Microsoft (windows XP & VISTA
    &win2k prof) cache. So Other then Vista I can't Update credentials to
    "MSLSA:"

    How we can support SSO with Kerberos TGT. how all other products is
    able to do this.

    They are maintaining their own clients for supporting SSO?


    Here my problem is all client should use my cache data which is
    generated by my application those should not use Microsoft login
    cache (MSLAS .
    Or else
    If it is possible I should able to update MSLSA: cache.

    Is there any other way to support SSO?


    >> I mean when I got credentials (TGT) from KDC, I will store to cache file.
    >> I will set it as default cache.

    >Ok. Then all KFW aware applications that do not specify a ccache will
    >use those credentials.




    ************************************************** **************************
    ***********
    This e-mail and attachments contain confidential information from HUAWEI,
    which is intended only for the person or entity whose address is listed
    above. Any use of the information contained herein in any way (including,
    but not limited to, total or partial disclosure, reproduction, or
    dissemination) by persons other than the intended recipient's) is
    prohibited. If you receive this e-mail in error, please notify the sender by
    phone or email immediately and delete it!





    Message: 6
    Date: Fri, 25 Jan 2008 18:52:32 -0500
    From: Jeffrey Altman
    Subject: Re: support SSO in Windows with Keberos TGT
    To: eswars@huawei.com
    Cc: kerberos@mit.edu
    Message-ID: <479A7640.8090701@secure-endpoints.com>
    Content-Type: text/plain; charset="iso-8859-1"

    Eswar S wrote:
    > Hi,
    >
    >
    > Using Mit Kerberos how can I support SSO?

    You can obtain your tickets during the windows logon process from your
    domain controller and then access them from KFW aware applications by
    setting the default ccache to MSLSA: or by permitting Network Identity
    Manager to synchronize the MSLSA: cache contents with an API: cache.
    >
    > Is it possible to update Microsoft cache? How can I make other kerberised
    > application to use cache file which is generated by my application.

    On Vista the MSLSA: cache is read-write provided you do not use the
    binaries provided by MIT.
    KFW 3.2.2 was built incorrectly and the MIT distribution treats the
    Vista MSLSA: cache as read-only.
    >
    > I mean when I got credentials (TGT) from KDC, I will store to cache file.

    I
    > will set it as default cache.

    Ok. Then all KFW aware applications that do not specify a ccache will
    use those credentials.
    >
    > My doubt is how all are supporting SSO using Kerberos tokens.
    >
    > How can I update Microsoft cache? Is it possible?
    >
    > Please help me in this regard. I will be waiting for your reply.
    >
    > Thanks and Regards,
    > Eswar S
    >
    >

    ************************************************** **************************
    > ***********
    > This e-mail and attachments contain confidential information from HUAWEI,
    > which is intended only for the person or entity whose address is listed
    > above. Any use of the information contained herein in any way (including,
    > but not limited to, total or partial disclosure, reproduction, or
    > dissemination) by persons other than the intended recipient's) is
    > prohibited. If you receive this e-mail in error, please notify the sender

    by
    > phone or email immediately and delete it!
    >
    >
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3355 bytes
    Desc: S/MIME Cryptographic Signature
    Url :
    http://mailman.mit.edu/pipermail/ker.../c2c10e18/smim
    e-0001.bin

    ------------------------------

    Message: 7
    Date: Fri, 25 Jan 2008 21:09:20 -0500
    From: "Matt Smith"
    Subject: Re: [lib]kadm on Windows?
    To: "Russ Allbery"
    Cc: kerberos@mit.edu
    Message-ID:
    <44a3206d0801251809p2271942fkdca5b5eeb3d748c2@mail. gmail.com>
    Content-Type: text/plain; charset=UTF-8

    On Jan 25, 2008 6:28 PM, Russ Allbery wrote:
    >
    > That's the bit that I was referring to where I hadn't had a chance to
    > include the patch yet. I'm hoping to get it into the next release,
    > although I don't yet have a plan for when that will be.
    >


    I'll probably start digging into this in about a month. If it will help
    any, I'll report back anything I find. Is there a preferred forum for
    remctl discussion?

    Thank you,
    -Matt
    --
    matt@forsetti.com
    Key ID6EEC5B5


    ------------------------------

    _______________________________________________
    Kerberos mailing list
    Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


    End of Kerberos Digest, Vol 61, Issue 35
    ****************************************



  2. Re: support SSO in Windows with Keberos TGT

    Hi,

    perharps you can have a look on www.centrify.com which provide a interop SSO
    between Windows/Unix/linux based on Kerberos...

    sylvain


    --
    Sylvain Cortes
    MVP GPOs - http://www.gpomasters.com

    PROCHAINE REUNION DE LA COMMUNAUTEE ACTIVE DIRECTORY LE 29 JANVIER -
    INSCRIPTION SUR WWW.CADIM.ORG

    Rejoignez la communauté Active Directory et Identity Management !!!
    http://www.cadim.org



    "Eswar S" a écrit dans le message de
    news:mailman.170.1201506028.5144.kerberos@mit.edu. ..
    >>> Hi,
    >>>
    >>>
    >>> Using Mit Kerberos how can I support SSO?

    >
    >>You can obtain your tickets during the windows logon process from your
    >>domain controller and then access them from KFW aware applications by
    >>setting the default ccache to MSLSA: or by permitting Network Identity
    >>Manager to synchronize the MSLSA: cache contents with an API: cache.
    >>>

    >
    >
    >
    >>> Is it possible to update Microsoft cache? How can I make other
    >>> kerberised
    >>> application to use cache file which is generated by my application.

    >
    >>On Vista the MSLSA: cache is read-write provided you do not use the
    >>binaries provided by MIT.
    >>KFW 3.2.2 was built incorrectly and the MIT distribution treats the
    >>Vista MSLSA: cache as read-only.

    >
    > I want to update/add my credentials to Microsoft (windows XP & VISTA
    > &win2k prof) cache. So Other then Vista I can't Update credentials to
    > "MSLSA:"
    >
    > How we can support SSO with Kerberos TGT. how all other products is
    > able to do this.
    >
    > They are maintaining their own clients for supporting SSO?
    >
    >
    > Here my problem is all client should use my cache data which is
    > generated by my application those should not use Microsoft login
    > cache (MSLAS .
    > Or else
    > If it is possible I should able to update MSLSA: cache.
    >
    > Is there any other way to support SSO?
    >
    >
    >>> I mean when I got credentials (TGT) from KDC, I will store to cache
    >>> file.
    >>> I will set it as default cache.

    >>Ok. Then all KFW aware applications that do not specify a ccache will
    >>use those credentials.

    >
    >
    >
    > ************************************************** **************************
    > ***********
    > This e-mail and attachments contain confidential information from HUAWEI,
    > which is intended only for the person or entity whose address is listed
    > above. Any use of the information contained herein in any way (including,
    > but not limited to, total or partial disclosure, reproduction, or
    > dissemination) by persons other than the intended recipient's) is
    > prohibited. If you receive this e-mail in error, please notify the sender
    > by
    > phone or email immediately and delete it!
    >
    >
    >
    >
    >
    > Message: 6
    > Date: Fri, 25 Jan 2008 18:52:32 -0500
    > From: Jeffrey Altman
    > Subject: Re: support SSO in Windows with Keberos TGT
    > To: eswars@huawei.com
    > Cc: kerberos@mit.edu
    > Message-ID: <479A7640.8090701@secure-endpoints.com>
    > Content-Type: text/plain; charset="iso-8859-1"
    >
    > Eswar S wrote:
    >> Hi,
    >>
    >>
    >> Using Mit Kerberos how can I support SSO?

    > You can obtain your tickets during the windows logon process from your
    > domain controller and then access them from KFW aware applications by
    > setting the default ccache to MSLSA: or by permitting Network Identity
    > Manager to synchronize the MSLSA: cache contents with an API: cache.
    >>
    >> Is it possible to update Microsoft cache? How can I make other kerberised
    >> application to use cache file which is generated by my application.

    > On Vista the MSLSA: cache is read-write provided you do not use the
    > binaries provided by MIT.
    > KFW 3.2.2 was built incorrectly and the MIT distribution treats the
    > Vista MSLSA: cache as read-only.
    >>
    >> I mean when I got credentials (TGT) from KDC, I will store to cache file.

    > I
    >> will set it as default cache.

    > Ok. Then all KFW aware applications that do not specify a ccache will
    > use those credentials.
    >>
    >> My doubt is how all are supporting SSO using Kerberos tokens.
    >>
    >> How can I update Microsoft cache? Is it possible?
    >>
    >> Please help me in this regard. I will be waiting for your reply.
    >>
    >> Thanks and Regards,
    >> Eswar S
    >>
    >>

    > ************************************************** **************************
    >> ***********
    >> This e-mail and attachments contain confidential information from HUAWEI,
    >> which is intended only for the person or entity whose address is listed
    >> above. Any use of the information contained herein in any way (including,
    >> but not limited to, total or partial disclosure, reproduction, or
    >> dissemination) by persons other than the intended recipient's) is
    >> prohibited. If you receive this e-mail in error, please notify the sender

    > by
    >> phone or email immediately and delete it!
    >>
    >>
    >>
    >>
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos

    > -------------- next part --------------
    > A non-text attachment was scrubbed...
    > Name: smime.p7s
    > Type: application/x-pkcs7-signature
    > Size: 3355 bytes
    > Desc: S/MIME Cryptographic Signature
    > Url :
    > http://mailman.mit.edu/pipermail/ker.../c2c10e18/smim
    > e-0001.bin
    >
    > ------------------------------
    >
    > Message: 7
    > Date: Fri, 25 Jan 2008 21:09:20 -0500
    > From: "Matt Smith"
    > Subject: Re: [lib]kadm on Windows?
    > To: "Russ Allbery"
    > Cc: kerberos@mit.edu
    > Message-ID:
    > <44a3206d0801251809p2271942fkdca5b5eeb3d748c2@mail. gmail.com>
    > Content-Type: text/plain; charset=UTF-8
    >
    > On Jan 25, 2008 6:28 PM, Russ Allbery wrote:
    >>
    >> That's the bit that I was referring to where I hadn't had a chance to
    >> include the patch yet. I'm hoping to get it into the next release,
    >> although I don't yet have a plan for when that will be.
    >>

    >
    > I'll probably start digging into this in about a month. If it will help
    > any, I'll report back anything I find. Is there a preferred forum for
    > remctl discussion?
    >
    > Thank you,
    > -Matt
    > --
    > matt@forsetti.com
    > Key ID6EEC5B5
    >
    >
    > ------------------------------
    >
    > _______________________________________________
    > Kerberos mailing list
    > Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > End of Kerberos Digest, Vol 61, Issue 35
    > ****************************************
    >
    >



  3. RE: support SSO in Windows with Keberos TGT

    it's managed by the centrify client deployed on the Unix/Linux hostSylvain CORTES sylvaincortes@hotmail.com

    > Date: Wed, 13 Feb 2008 18:46:17 -0500> From: jaltman@secure-endpoints.com> To: sylvaincortes@hotmail.com> CC: kerberos@mit.edu> Subject: Re: supportSSO in Windows with Keberos TGT> > Sylvain - MVP GPOs wrote:> > Hi,> >> > perharps you can have a look on www.centrify.com which provide a interop SSO > > between Windows/Unix/linux based on Kerberos...> >> > sylvain> >> Howwould that solve the "need a single credential cache" problem> that this thread is discussing?> >

    __________________________________________________ _______________
    Nouveau ! Créez votre profil Messenger !
    http://home.services.spaces.live.com/

  4. RE: support SSO in Windows with Keberos TGT

    Hi,

    no.
    The centrofy client makes the unix/linux/mac computers AD aware, and kerberos aware.
    The central kdc is the Active Directory KDC, and the unix/linux/mac are exactly as Windows AD client.
    So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine with the Centrofy client, without any re-authentication. And Unix to Windows, or Unix to Unix works also in the same way.

    is that more clear ?Sylvain CORTES sylvaincortes@hotmail.com



    > Date: Thu, 14 Feb 2008 10:32:26 -0500> From: jaltman@secure-endpoints.com> To: sylvaincortes@hotmail.com> CC: kerberos@mit.edu> Subject: Re: supportSSO in Windows with Keberos TGT> > sylvain cortes wrote:> > it's managed by the centrify client deployed on the Unix/Linux host> You do understand that the issue here is how to use applications written > to use KFW> and applications written to use Kerberos SSP on the Windows platform > with the> same credential cache.> > Are you suggesting that the user switch from Windows based clients to > UNIX/Linux> based clients as a solution to his SSO issues on Windows?> >

    __________________________________________________ _______________
    Nouveau ! Créez votre profil Messenger !
    http://home.services.spaces.live.com/

  5. Re: support SSO in Windows with Keberos TGT

    sylvain cortes wrote:
    > So, for example, a windows computer which use Putty can present a
    > kerberos ticket to a Unix machine with the Centrofy client, without
    > any re-authentication. And Unix to Windows, or Unix to Unix works
    > also in the same way.


    You can do that without paying for Centrify. All you need to is to
    correctly setup the machine keytab and get a putty version that supports
    GSSAPI credential forwarding.

    <


  6. RE: support SSO in Windows with Keberos TGT

    hi - you always can do everything...it's a question about time ;-)
    I did the "classic" way before using centrify, and it was "hell" to maintain: manage the keytab, manage the "ad account", manage the NTP client to have the right ticket session, etc...
    Sylvain CORTES sylvaincortes@hotmail.com



    > From: cclausen@acm.org> To: sylvaincortes@hotmail.com> CC: kerberos@mit.edu> Subject: Re: support SSO in Windows with Keberos TGT> Date: Tue, 19 Feb2008 13:08:22 -0600> > sylvain cortes wrote:> > So, for example, a windows computer which use Putty can present a> > kerberos ticket to a Unix machine with the Centrofy client, without> > any re-authentication. And Unix to Windows, or Unix to Unix works> > also in the same way.> > You can do that without paying for Centrify. All you need to is to > correctly setup the machine keytab and get a putty version that supports > GSSAPI credential forwarding.> > < >

    __________________________________________________ _______________
    Microsoft vous recommande de mettre à jour Internet Explorer.
    http://specials.fr.msn.com/IE7P25

  7. Re: support SSO in Windows with Keberos TGT

    sylvain cortes wrote:
    > hi - you always can do everything...it's a question about time ;-) I
    > did the "classic" way before using centrify, and it was "hell" to
    > maintain: manage the keytab, manage the "ad account", manage the NTP
    > client to have the right ticket session, etc...


    Sorry but NTP doesn't use Kerberos tickets. Apart from keeping the time
    in synch, how does NTP get involved with tickets?

    Danny

  8. RE: support SSO in Windows with Keberos TGT

    as you said for keeping the time in synch...
    but tilme issues can provide some stange behaviour with kerberos.Sylvain CORTES sylvaincortes@hotmail.com



    > Date: Fri, 22 Feb 2008 18:14:24 -0500> From: mayer@ntp.isc.org> To: sylvaincortes@hotmail.com> CC: cclausen@acm.org; kerberos@mit.edu> Subject: Re: support SSO in Windows with Keberos TGT> > sylvain cortes wrote:> > hi - you always can do everything...it's a question about time ;-) I> > did the "classic" way before using centrify, and it was "hell" to> > maintain: managethe keytab, manage the "ad account", manage the NTP> > client to have the right ticket session, etc...> > Sorry but NTP doesn't use Kerberos tickets.Apart from keeping the time > in synch, how does NTP get involved with tickets?> > Danny

    __________________________________________________ _______________
    Votre contact a choisi Hotmail, l'e-mail nouvelle génération. Créez un compte.
    http://www.windowslive.fr/hotmail/default.asp

  9. Re: support SSO in Windows with Keberos TGT

    sylvain cortes wrote:
    > as you said for keeping the time in synch...
    > but tilme issues can provide some stange behaviour with kerberos.
    >
    > Sylvain CORTES sylvaincortes@hotmail.com
    >


    If you have NTP issues you should post to the questions@lists.ntp.org
    mailing list or the comp.protocols.time.ntp newsgroup.

    Danny

    >
    > ------------------------------------------------------------------------
    >
    > > Date: Fri, 22 Feb 2008 18:14:24 -0500
    > > From: mayer@ntp.isc.org
    > > To: sylvaincortes@hotmail.com
    > > CC: cclausen@acm.org; kerberos@mit.edu
    > > Subject: Re: support SSO in Windows with Keberos TGT
    > >
    > > sylvain cortes wrote:
    > > > hi - you always can do everything...it's a question about time ;-) I
    > > > did the "classic" way before using centrify, and it was "hell" to
    > > > maintain: manage the keytab, manage the "ad account", manage the NTP
    > > > client to have the right ticket session, etc...

    > >
    > > Sorry but NTP doesn't use Kerberos tickets. Apart from keeping the time
    > > in synch, how does NTP get involved with tickets?
    > >
    > > Danny

    >
    >
    > ------------------------------------------------------------------------
    > Windows Live Messenger 2008 vient de sortir, découvrez son nouveau
    > design ! Téléchargez gratuitement Messenger 2008
    >



+ Reply to Thread