David Bear wrote: > On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman > <jalt...@secure-endpoints.com <mailto:jalt...@secure-endpoints.com>> > wrote: > > David Bear wrote: > > Normally, when we install KfW (currently using 3.2.2) on > windows, we include > > a krb5.ini file that is mostly the same as the krb5.conf we use > on linux. > > Our krb5.ini only has asu.edu <http://asu.edu> realm information > in it. We also have an AD > > domain to which our windows clients are joined. When a user does > a domain > > logon, they normally get 2 credentials automatically, one for > the AD domain, > > and one for our ASU.EDU <http://ASU.EDU> realm. This is the > behavior we like. > > > > However, today, using the same configuration file, NiM is only > reporting > > credentials for the AD domain -- it is not automatically getting > credentials > > from the ASU.EDU <http://ASU.EDU> realm. We have selected > (obtain new creds at startup) and > > (destroy all creds on exit) but this makes no difference. For > some reason, > > KfW is not getting all the creds we are used to at startup. Any > advice on > > how to get the behavior back that we want? > > > NIM does not obtain the credentials. The KFW network provider > (kfwlogon.dll) does this if and only if: > > 1. the password for the AD and MIT realms are the same > 2. kfwlogon.dll is installed > 3. the default realm in the krb5.ini file is the MIT realm > > The NIM obtain new creds at startup does not affect the kfwlogon.dll. > What it does is prompt the user for credentials if there are none > available at startup. > > > We have set the asu.edu <http://asu.edu> realm to be the default realm > in the krb5.ini file. The passwords between AD domains and MIT Krb > realms are identical. Still, KfW doesn't auto-get asu.edu > <http://asu.edu> realm credentials. We can obtain credentials using > NiM AFTER standard windows logon. But it is just not getting them > automatically. Is there some other configuration option we have missed > or munged? You should verify that the Network Provider kfwlogon.dll is installed and assuming that is true then you can turn on Windows Application Event Logging
HKLM\System\\CurrentControlSet\\Services\\MIT Kerberos\\NetworkProvider "Debug" DWORD 0x01
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos