On Fri, 17 Apr 2015, Meike Stone wrote: > Hello dear list, > > I have Windows 7 workstations, not joined to a AD Domain. > I like to use MIT Kerberos client to authenticate to a Kerberos server > and run several programs using Kerberos to authenticate. > The MIT client is installed and running, I get a krbtgt and if I use > Firefox with network.auth.use-sspi=false, Firefox uses Kerberos as > well. > > But my problem are applications that using only the MSLSA Kerberos > cache (for example SAP-GUI via gsskrb5.dll) (SSPI)
SAP-GUI will use gssapi32.dll just fine, for what it's worth (we use it that way at MIT). > Is is possible, to configure the MIT-Kerberos client to use this cache (too)? It is possible to configure MIT Kerberos to use that cache, though it is not very well exposed in the GUI at the moment. You can set HKCU\Software\MIT\Kerberos5\ccname to "MSLSA:" in the registry to make it the default, or explicitly run kinit.exe -c MSLSA: <principal> from cmd.exe to just get a ticket. (Once you have a ticket, the "make default" button will set the registry entry for you.) However, with the currently released versions, if you have UAC enabled, the non-SSPI clients will not work. If you do not have UAC enabled, they will not work very well (they will wait for some DNS timeouts) unless you set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\REALM.NAME\KdcNames to a multi-string entry with the DNS names of the KDCs for the realm's KDCs. There are several improvements on master that have not made it into a release yet; I hope to put out a KfW 4.1 release in the next couple of months which includes them. > Using ksetup and logon to the kerberos real works, but I don't can > make that deep changes on the Windows workstations (e.g. ne > userprofile, etc ....). I'm not sure I understand this paragraph. > Main cause it to get running the SAP-GUI, using Kerberos to authenticate! > Mayby someone has an idea to get this running on a simple workstation > without domain or Kerberos membership. I am surprised that it is not working; maybe the version of SAP GUI that MIT distributes internally has some custom config in place. In any case, you should be able to set SNC_LIB to point to the gssapi32.dll library and avoid the MSLSA: cache. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos