Authenticating Windows 2003 users to a central LDAP - Kerberos

This is a discussion on Authenticating Windows 2003 users to a central LDAP - Kerberos ; Hi, I am not sure if this is the proper list for this... but any help would be appreciated... We are running a Windows 2003 R2 server whose domain is used for user and workstation authentication for a portion of ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Authenticating Windows 2003 users to a central LDAP

  1. Authenticating Windows 2003 users to a central LDAP

    Hi,

    I am not sure if this is the proper list for this... but any help would
    be appreciated...

    We are running a Windows 2003 R2 server whose domain is used for user
    and workstation authentication for a portion of the university
    population. We wanted to tie this domain lets call it systems.private
    into the university wide ldap server lets call is ldap.nyu.edu which
    stores university wide usernames/passwords etc.

    This way users who are part of the domain (remember we only want users
    who are part of the domain to have access) would be able to login to the
    domain.. using their IDs and passwords provided by the university.

    I am not sure if this makes any sense...

    so to recap

    a) User tries to log into the domain with his id and password.
    b) The domain controller checks to see if the user id is in its database.
    c) if it is, it forwards the credential to the ldap server for
    authentication.
    d) if the ldap authenticates, the user is allowed to login...

    Any help would be greatly appreciated..

    Sincerely,

    Ahmad S Arshad

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Authenticating Windows 2003 users to a central LDAP

    Hi Ahmad,

    FYI: The Domain Controller itself contains a LDAP
    server.

    Thanks,
    Preetam

    --- Ahmad Arshad wrote:

    > Hi,
    >
    > I am not sure if this is the proper list for this...
    > but any help would
    > be appreciated...
    >
    > We are running a Windows 2003 R2 server whose domain
    > is used for user
    > and workstation authentication for a portion of the
    > university
    > population. We wanted to tie this domain lets call
    > it systems.private
    > into the university wide ldap server lets call is
    > ldap.nyu.edu which
    > stores university wide usernames/passwords etc.
    >
    > This way users who are part of the domain (remember
    > we only want users
    > who are part of the domain to have access) would be
    > able to login to the
    > domain.. using their IDs and passwords provided by
    > the university.
    >
    > I am not sure if this makes any sense...
    >
    > so to recap
    >
    > a) User tries to log into the domain with his id and
    > password.
    > b) The domain controller checks to see if the user
    > id is in its database.
    > c) if it is, it forwards the credential to the ldap
    > server for
    > authentication.
    > d) if the ldap authenticates, the user is allowed to
    > login...
    >
    > Any help would be greatly appreciated..
    >
    > Sincerely,
    >
    > Ahmad S Arshad
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





    __________________________________________________ __________________________________
    We won't tell. Get more on shows you hate to love
    (and love to hate): Yahoo! TV's Guilty Pleasures list.
    http://tv.yahoo.com/collections/265
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Authenticating Windows 2003 users to a central LDAP

    Hi Preetam,

    Then let me rephrase the question a little...

    We have two KDC servers with realm nyu.edu. Lets call them kerb1.nyu.edu
    and kerb2.nyu.edu

    my active directory is systems.private

    I want this active directory authentication to authenticate off of these
    kerberos servers... Its easy to do in unix and linux, but its killing me
    to set it up so this windows 2003 r2 AD can authenticate its users off
    of those kerberos servers.

    Thanks

    preetam R wrote:
    > Hi Ahmad,
    >
    > FYI: The Domain Controller itself contains a LDAP
    > server.
    >
    > Thanks,
    > Preetam
    >
    > --- Ahmad Arshad wrote:
    >
    >
    >> Hi,
    >>
    >> I am not sure if this is the proper list for this...
    >> but any help would
    >> be appreciated...
    >>
    >> We are running a Windows 2003 R2 server whose domain
    >> is used for user
    >> and workstation authentication for a portion of the
    >> university
    >> population. We wanted to tie this domain lets call
    >> it systems.private
    >> into the university wide ldap server lets call is
    >> ldap.nyu.edu which
    >> stores university wide usernames/passwords etc.
    >>
    >> This way users who are part of the domain (remember
    >> we only want users
    >> who are part of the domain to have access) would be
    >> able to login to the
    >> domain.. using their IDs and passwords provided by
    >> the university.
    >>
    >> I am not sure if this makes any sense...
    >>
    >> so to recap
    >>
    >> a) User tries to log into the domain with his id and
    >> password.
    >> b) The domain controller checks to see if the user
    >> id is in its database.
    >> c) if it is, it forwards the credential to the ldap
    >> server for
    >> authentication.
    >> d) if the ldap authenticates, the user is allowed to
    >> login...
    >>
    >> Any help would be greatly appreciated..
    >>
    >> Sincerely,
    >>
    >> Ahmad S Arshad
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>

    >
    >
    >
    >
    > __________________________________________________ __________________________________
    > We won't tell. Get more on shows you hate to love
    > (and love to hate): Yahoo! TV's Guilty Pleasures list.
    > http://tv.yahoo.com/collections/265
    >


    --
    Sincerely,

    Ahmad Arshad

    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Systems Administrator
    Library Information Technology Systems
    New York University, Division of Libraries
    70 Washington Square South, Mezzanine
    New York, NY 10012-1091
    O: (212) 995-3513
    F: (212) 995-3548
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Authenticating Windows 2003 users to a central LDAP

    If I understood you correctly, the thing you want to do is to create a
    cross-realm trust such that the Windows domain trusts your realm NYU.EDU.

    This is indeed possible. Nevertheless you have to create the users in
    your active directory, too. This is because Kerberos can only be used
    for authentication; authorization has to be done with active directory.

    Take a look at
    http://www.microsoft.com/windows2000.../kerbsteps.asp

    The thing which is relevant for you is the section about "Setting Trust
    With a Kerberos Realm"

    Thomas
    ------------ And now a word from our sponsor ------------------
    Do your users want the best web-email gateway? Don't let your
    customers drift off to free webmail services install your own
    web gateway!
    -- See http://netwinsite.com/sponsor/sponsor_webmail.htm ----

  5. Re: Authenticating Windows 2003 users to a central LDAP



    Ahmad Arshad wrote:
    > Hi Preetam,
    >
    > Then let me rephrase the question a little...
    >
    > We have two KDC servers with realm nyu.edu. Lets call them kerb1.nyu.edu
    > and kerb2.nyu.edu
    >
    > my active directory is systems.private
    >
    > I want this active directory authentication to authenticate off of these
    > kerberos servers... Its easy to do in unix and linux, but its killing me
    > to set it up so this windows 2003 r2 AD can authenticate its users off
    > of those kerberos servers.


    Sounds like what you want is Kerberos authentication to your NYU.EDU,
    with cross realm trust to the AD which has the windows services, and user
    accounts. Thus a user account in the AD will be associated with a Kerberos
    principal in NYU.EDU, and when a service ticket for a windows service is
    needed AD will add in the PAC information for the account.

    See
    http://www.microsoft.com/technet/pro.../kerbstep.mspx

    Setting Trust With a Kerberos Realm

    Creating Account Mappings

    Account mappings are used to map a foreign Kerberos identity (in a
    trusted MIT Kerberos realm) to a local account identity in the domain.
    These account mappings are managed through the Active Directory
    Management tool.

    These account mappings will allow the Kerberos realm to act as an
    account domain. Users with Kerberos principals that have mappings to
    domain accounts, can logon to a workstation that is joined to a trusted
    domain using the Kerberos principal and password from the Kerberos realm.


    >
    > Thanks
    >
    > preetam R wrote:
    >> Hi Ahmad,
    >>
    >> FYI: The Domain Controller itself contains a LDAP
    >> server.
    >>
    >> Thanks,
    >> Preetam
    >>
    >> --- Ahmad Arshad wrote:
    >>
    >>
    >>> Hi,
    >>>
    >>> I am not sure if this is the proper list for this...
    >>> but any help would
    >>> be appreciated...
    >>>
    >>> We are running a Windows 2003 R2 server whose domain
    >>> is used for user
    >>> and workstation authentication for a portion of the
    >>> university
    >>> population. We wanted to tie this domain lets call
    >>> it systems.private
    >>> into the university wide ldap server lets call is
    >>> ldap.nyu.edu which
    >>> stores university wide usernames/passwords etc.
    >>>
    >>> This way users who are part of the domain (remember
    >>> we only want users
    >>> who are part of the domain to have access) would be
    >>> able to login to the
    >>> domain.. using their IDs and passwords provided by
    >>> the university.
    >>>
    >>> I am not sure if this makes any sense...
    >>>
    >>> so to recap
    >>>
    >>> a) User tries to log into the domain with his id and
    >>> password.
    >>> b) The domain controller checks to see if the user
    >>> id is in its database.
    >>> c) if it is, it forwards the credential to the ldap
    >>> server for
    >>> authentication.
    >>> d) if the ldap authenticates, the user is allowed to
    >>> login...
    >>>
    >>> Any help would be greatly appreciated..
    >>>
    >>> Sincerely,
    >>>
    >>> Ahmad S Arshad
    >>>
    >>> ________________________________________________
    >>> Kerberos mailing list Kerberos@mit.edu
    >>> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>
    >>>

    >>
    >>
    >>
    >> __________________________________________________ __________________________________
    >> We won't tell. Get more on shows you hate to love
    >> (and love to hate): Yahoo! TV's Guilty Pleasures list.
    >> http://tv.yahoo.com/collections/265
    >>

    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread