I am pretty new to Kerberos so I may mess up the terminology. We have had a couple of people attempt what I am describing below and we have failed so far. I just wanted to consult the group with the basic "is this possible" question first, then expand on to broader questions like "who has done it" and "how is it done"
We have a student lab of Windows XP computers and we want the students to have to authenticate to use them. We have an MIT Kerberos KDC that "knows" all the students but we do not want the MIT KDC to have to know each and every XP workstation. We would like to set up a Windows Server 2003 (or 2000 if that makes a difference) AD Domain Controller that the students log into, but we ant that AD Domain controller to contact the MIT KDC for authentication purposes. If we have to create explicit user accounts for each student in the Windows Active Directory Domain we will, but if we could map them all to a single account that would also be good. In other words, we are willing to let the MIT KDC talk to the Windows AD Domain Controller, not all the workstations. We want the XP workstations to contact the Windows Domain Controller and have the Windows Domain COntroller touch base with the MIT KDC to authenticate them. I have set up a Windows Server 2003 AD Domain controller, It is all working well from a DNS point of view. It is actually talking to the MIT KDC but so far all I have gotten is Windows error from the tickets returned when attempting a local login on the Windows Server and authenticating to the MIT KDC. I have not had ANY success logging into the Windows domain from an XP workstation... no traffic to the MIT KDC whatsoever... I welcome your general and detailed comments! Thanks. Terry Jones ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
