On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams <[EMAIL PROTECTED]> writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
>
> >> Extracting the keys from AD is not possible [1].
>
> > Nor ist it possible to extract them from MIT krb5 KDCs.
>
Nicolas Williams <[EMAIL PROTECTED]> writes:
> On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
>> Extracting the keys from AD is not possible [1].
> Nor ist it possible to extract them from MIT krb5 KDCs.
It is as of 1.6 using kadmin.local (not that this changes the rest of your
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].
Nor ist it possible to extract them from MIT krb5 KDCs.
> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a key
Paul Moore wrote:
> "It could then impersonate any user to the machine"
>
> Can you explain that. I want to make sure I understand all potential
> kerb threats, this is a new one to me.
This is at the heart of Kerberos. Client and server trust KDC and trust
KDC to give service ticket to client
On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> domain.
>
> A Java developer I look after wants to do the single sign on t
"It could then impersonate any user to the machine"
Can you explain that. I want to make sure I understand all potential
kerb threats, this is a new one to me.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 23
Edward Irvine wrote:
> Hi,
>
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> domain.
Do you have to be use the Windows "host" principal? Can your application
use a different principal, like HTTP o
Hi,
I'd like to find out if there is any way to extract a HOST keytab for
a windows computer that is already a member of an active directory
domain.
A Java developer I look after wants to do the single sign on thing to
his web application. Our environment is a mixed Active Directory and
S