You must have the external (MIT) principal mapped to a Windows user for logon to succeed.
This can be done with an Active Directory/Cross-realm trust by using the AltSecurityIdentities property on AD users. For a machine in a Workgroup, this can be done by using "ksetup /mapuser" Windows supports AES256, AES128, RC4-HMAC and DES-CBC MD5 or CBC. The DES types are not available by default in Windows 7 (they have to be enabled). -Ross -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Jean-Yves Avenard Sent: Tuesday, September 21, 2010 11:56 AM To: kerberos@mit.edu Subject: MIT kdc with Windows 7 pc Hi there. I have tried to configure a Windows 7 machine to use our kerberos realm. The KDC is MIT krb5 1.7.1. When I try to login using my kerberos principal ; I get an error that there are no logon server available. In the Windows 7 logs, I see the error: "The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client jeanyves_avenard in realm M.DOMAIN.COM could not be validated. This error is usually caused by domain trust failures; please contact your system administrator." In the kdc logs, I can see that something is authenticating. Passwords seem okay as if I type an incorrect password for my username, i get an error about the password being incorrect. Once I enter the right password, I get the error above. I read http://www.faqs.org/faqs/kerberos-faq/general/ and about the PAC microsoft put in. But it's a 10 years old article, not sure how relevant it is today. Am I to understand that it is not currently possible to authenticate on a windows machine using a MIT kerberos KDC ? It would be a good windows domain replacement Kerberos from Windows seem to work fine, and I could use the credential with Firefox. And comments on the matter? Thank you JY ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos