Re: Windows 2012R2 & MIT Kerberos Trust / SSO

There are ways to sync the AD server with the KDC, so in effect they are separate but equal. On Aug 20, 2016 12:14 PM, "Darren Terry" wrote: List, I am currently working on a project where I am required to integrate a Windows 2012R2 domain with an existing Kerberos

Windows 2012R2 & MIT Kerberos Trust / SSO

List, I am currently working on a project where I am required to integrate a Windows 2012R2 domain with an existing Kerberos realm. The domain has not been built yet so I have the luxury of having no technical debt to deal with, I get a fresh start on the Windows side. Does anyone have experience

SSO fails when using Timezone redirection

Hello, We are the end users of Kerberos for the SSO and majorly we are using it with SAP systems. Issue we are having is that SSO fails when we use the Timzezone redirection feature of windows while using RDP, It happens when time-zone of the remote user is equal to or greater than 10 hours

sso authentication via a physical load-balancer towards a WebLogic server

Hello Kerberos Community. At the organisation where I work we are trying to achieve SSO authentication using Kerberos mechanism on the following setup: - physical load-balancer (machine1) receiving incoming http sessions, but redirecting the traffic to a WebLogic Server (machine2

Question on Kerberos SSO with MS-PKCA (Microsoft's implementation of PKINIT) preauthentication

I am working on enabling Kerberos based SSO (with PKI used for initial authentication) in our test environment. Domain controller is windows server 2008 R2, Access resources are few web applications hosted on (IIS of a server 2008 R2 machine) and Resource client is windows 7 machine, in which

Trasparent SSO Kerberos with HPC web portal

Hello A client of mine asked me how it can be complex if not impossible to find a WORKING HPC web Job Scheduler (http://en.wikipedia.org/wiki/Job_scheduler) that supports trasparent SSO in a mixed windows / linux env with an AD as domain dontroller (KERBEROS master KDC ). This web HPC job

Problem with Kerberos SSO to SAP system

We are having problems getting SSO to work to SAP systems running on RHEL 6.3. We have a number of systems running on RHEL 5.8, and SSO is working without any problems, but it is failing for some reason with the systems on the RHEL 6.3 systems. The server and library information

Strange problem with putty/sso

Hello! I have windows 2008R2 with AD and few Linux servers. I've installed debian squeeze on one of the servers and next integrated it with domain (kerberos, winbind, samba etc) with test PDC. As the SSO with putty was working fine, the system has been cloned to remaining machines. Next

Re: Strange problem with putty/sso

On 10/11/2012 3:44 PM, Jarek wrote: Hello! I have windows 2008R2 with AD and few Linux servers. I've installed debian squeeze on one of the servers and next integrated it with domain (kerberos, winbind, samba etc) with test PDC. As the SSO with putty was working fine, the system has

SAP SSO Setup on UNIX Solaris and Linux

Hi, We are planning to configure SAP SSO (Kerberos) on UNIX servers. All SAP Servers are running on Solaris and Linux. Can you please provide the architecture, procedure and process we need to follow to setup this ? So that I will discuss with customer. Please share links for reference

RE: SAP SSO Setup on UNIX Solaris and Linux [Public]

[mailto:kerberos-boun...@mit.edu] De la part de Sekhar kota Envoyé : jeudi 26 juillet 2012 10:18 À : kerberos@mit.edu Objet : SAP SSO Setup on UNIX Solaris and Linux Hi, We are planning to configure SAP SSO (Kerberos) on UNIX servers. All SAP Servers are running on Solaris and Linux. Can you please

RE: SAP SSO Setup on UNIX Solaris and Linux [Public]

Or maybe you can take a look at http://sap.cybersafe.com Thanks, Tim -Original Message- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Sylvain Cortes Sent: 26 July 2012 18:07 To: Sekhar kota; kerberos@mit.edu Subject: RE: SAP SSO Setup on UNIX Solaris

Windows client SSO

with the same openldap backend. Many things works as expected : * The windows clients can join samba domain (auth/share) * The linux hosts can use kerberos and samba (auth/share) * The user database is unique Now we wonder about SSO. It works fine with kerberos clients on linux (tried

sso + IIS kerberos Sap Business object

Hello everybody I create Service Accaunt setspn - a BOSSO/TESTVM2.MTRC.NET bo I grant delegation trust for tesvm2 machine and service acount but I am stil get the error on client machine please help :) Account Information Not Recognized: An error has occurred propagating the security context

Re: SSO Linux -- AD using GSSAPI

november 2010 21:11 Aan: SANDERS Miguel; kerberos@mit.edu Onderwerp: RE: SSO Linux -- AD using GSSAPI Yes I have that checked, no other changes made to PuTTY. # tail -f /var/log/secure | grep credentials Nov 26 12:08:33 bilbo-rh5 sshd[19970]: debug1: Got no client credentials Nov 26 12:08:33

RE: SSO Linux -- AD using GSSAPI

. -Original Message- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Douglas E. Engert Sent: November-29-10 7:29 AM To: kerberos@mit.edu Subject: Re: SSO Linux -- AD using GSSAPI On 11/26/2010 2:13 PM, SANDERS Miguel wrote: Hmm, what value do you have

RE: SSO Linux -- AD using GSSAPI

[mailto:miguel.sand...@arcelormittal.com] Sent: November-26-10 12:05 PM To: Carter, Joel; kerberos@mit.edu Subject: RE: SSO Linux -- AD using GSSAPI Did you check the Delegate credentials in PuTTY? (Connection - SSH - GSSAPI) Met vriendelijke groet Best regards Bien à vous Miguel SANDERS

RE: SSO Linux -- AD using GSSAPI

november 2010 21:11 Aan: SANDERS Miguel; kerberos@mit.edu Onderwerp: RE: SSO Linux -- AD using GSSAPI Yes I have that checked, no other changes made to PuTTY. # tail -f /var/log/secure | grep credentials Nov 26 12:08:33 bilbo-rh5 sshd[19970]: debug1: Got no client credentials Nov 26 12:08:33 bilbo-rh5

RE: SSO Linux -- AD using GSSAPI

: November-26-10 12:13 PM To: Carter, Joel; kerberos@mit.edu Subject: RE: SSO Linux -- AD using GSSAPI Hmm, what value do you have for the RealmFlags in the registry ? http://technet.microsoft.com/en-us/library/cc736698%28WS.10%29.aspx Met vriendelijke groet Best regards Bien à vous Miguel

RE: SSO Linux -- AD using GSSAPI

printing this e-mail -Oorspronkelijk bericht- Van: Carter, Joel [mailto:jo...@trailerwizards.com] Verzonden: vrijdag 26 november 2010 21:20 Aan: SANDERS Miguel; kerberos@mit.edu Onderwerp: RE: SSO Linux -- AD using GSSAPI Thank you for your help. HKEY_LOCAL_MACHINE\SYSTEM

RE: SSO Linux -- AD using GSSAPI

Message- From: SANDERS Miguel [mailto:miguel.sand...@arcelormittal.com] Sent: November-26-10 12:27 PM To: Carter, Joel; kerberos@mit.edu Subject: RE: SSO Linux -- AD using GSSAPI If you have the proper kerberos SRV records, just create a key under domains (LOCAL.CA) and set RealmFlags to 6 (4

SSO for Macintosh browsers

have been working to implement an SSO product across my enterprise. The product works by configuring browsers to read the Kerberos ticket information from the local machine and forward the information inside of the ticket to my SSO web service for verification. I can accomplish this on all my

configure SSO on i5 and windows 2000

Hi All, I am busy with SSO and I am using the red book of IBM. At the moment I do kinit I get the followwing message can anyone help me? I am struggling for weeks with this. Hep please kinit -k krbsvr400/cbsys01.cbvs.lo...@cbdks01.cbvs.local Message 0x96c73a44 not found in catalog

RE: Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.

@mit.edu' Subject: Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1. First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors

Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.

First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here's the one we see most: KDC has no support for encryption type (14)

Re: SSO

to Russ) for clarifying this. My goal when doing SSO for web applications is that I don't trust the web applications so much not to reveal the user's credentials. Your choices are based on necessity, not trust. If the web application needs delegated credentials (e.g. to authenticate as the user

Re: SSO

always be very cautious in delegating, as a delegated TGT is usually as good as the one you get with login or kinit. SSH has the ssh_config GSSAPIDelegateCredentials yes to control delegation. My goal when doing SSO for web applications is that I don't trust the web applications so much

Re: SSO

Michael B Allen [EMAIL PROTECTED] writes: If you read the whole thread you'd know I'm only talking about the *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all whereas with WebAuth you might need to. You're making a bogus comparison. If you don't have to type in passwords

Re: SSO

Michael Ströder [EMAIL PROTECTED] writes: Russ Allbery wrote: (If you use Firefox, you don't have to actually be a member of the domain; you can use a different mechanism for getting Kerberos tickets, such as NIM.) What is NIM? Network Identity Manager, although properly speaking the bit

Re: SSO

is that all of this configuration, and fallback, is handled at a single location which greatly simplifies management, both of services (which only need to know how to talk to your Web SSO system), and clients (which only need to be set up to do SPNEGO with your Web SSO login host, if at all

Re: SSO

complicates your trust model. The advantage of a WebSSO system like Cosign or WebAuth is that all of this configuration, and fallback, is handled at a single location which greatly simplifies management, both of services (which only need to know how to talk to your Web SSO system), and clients

Re: SSO

to their requirement for redirects. For us, this was a small price to pay. SPNEGO handles authenticating POST just fine. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Re: SSO

. The original poster explicitly ... does not want to use AD in any solution. While I'm here, I should also respond to: Then you have SSO solutions like OpenID which are really more like triple sign on since you have to login to your workstation, then to the OpenID service and then put in the OpenID

Re: SSO

Michael B Allen wrote: On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote: And that is the scenario where direct SPNEGO / NTLMSSP solutions are going to perform better. If by better you mean pretty much the same, yes, modulo the configuration note that I mentioned. No, I

Re: SSO

Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SSO

of a POST, nor is there any good way to stash the data that comes along with a POST while bouncing the user through the login server without application support for the SSO system (which is contrary to a primary goal: ability to drop WebSSO in front of any arbitrary web application without modifying

Re: SSO

Michael Ströder [EMAIL PROTECTED] writes: Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought it's just a service ticket. It's optional. The browser can choose to delegate credentials or not, based on local configuration. (In Firefox, for example, it's two separate

Re: SSO

, then a TGT will be included. Which entity has to set this flag when calling into the API? The web browser or the web server? My goal when doing SSO for web applications is that I don't trust the web applications so much not to reveal the user's credentials. Ciao, Michael

Re: SSO

, if you're using Windows clients in an AD environment and the HTTP service account has Trusted for delegation turned off, the TGT will not be sent. My goal when doing SSO for web applications is that I don't trust the web applications so much not to reveal the user's credentials. Your choices are based

Re: SSO

Michael B Allen [EMAIL PROTECTED] writes: Your choices are based on necessity, not trust. If the web application needs delegated credentials (e.g. to authenticate as the user with another tier), then you need to send the TGT [1]. Unless you use a system such as WebAuth or Cosign that supports

SSO

Hi All, I was actually interested in implementing a web SSO solution for my environment. I have five applications -- all web applications, so a web SSO is needed -- and three run off of Windows, while the other two are Unix and Linux. Since they are web apps, it won't matter from where

Re: SSO

Sharad Desai wrote: Hi All, I was actually interested in implementing a web SSO solution for my environment. I have five applications -- all web applications, so a web SSO is needed -- and three run off of Windows, while the other two are Unix and Linux. Since they are web apps

Re: SSO

and the network.negotiate-auth.trusted-uris option. The main (and probably only) drawback of this method is that is all about HTTP basic authentication, and most of applications only allow some kind of cookie based auth. You might want to look at PAPI (http://papi.rediris.es), it only provides Web SSO, but I

Re: SSO

authentication, and most of applications only allow some kind of cookie based auth. You might want to look at PAPI (http://papi.rediris.es), it only provides Web SSO, but I think is enough for you. Allows multiple authentication backends, and although it is not packaged as default it is possible

Re: SSO

Sharad Desai [EMAIL PROTECTED] writes: Also, (I'm not sure how familiar people are with Cosign) since Cosign transforms Kerberos authentication to a cookie-based authentication which the browsers can use, I was wondering if you have had any experience with this. Given your platform

Re: SSO

) since Cosign transforms Kerberos authentication to a cookie-based authentication which the browsers can use, I was wondering if you have had any experience with this. When trying to determine the right SSO solution for your web applications, it is important to realize that the mode of operation

Re: SSO

familiar people are with Cosign) since Cosign transforms Kerberos authentication to a cookie-based authentication which the browsers can use, I was wondering if you have had any experience with this. When trying to determine the right SSO solution for your web applications, it is important

Re: SSO

Thanks Russ. Given your platform constraints and desire to avoid Active Directory, I think Cosign is definitely your best option. However, I believe that you will need a UNIX server to run the Cosign login daemon, even though you can use IIS for specific web applications. I could be wrong,

Re: SSO

Sharad Desai wrote: You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS have SPNEGO built in, and can use the Kerberos in Active Directory. Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any platform see the about:config and the

Re: SSO

Michael B Allen [EMAIL PROTECTED] writes: For example, you mentioned WebAuth and CoSign. Both of these solutions are really targeted for highly heterogeneous environments like University networks where the only client requirement is that the browser support cookies. So it works on the

Re: SSO

environment where clients are logged into a domain 90% of the time, the performance and flexibility of direct SPNEGO / NTLMSSP is almost always going to be a better solution. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com

Re: SSO

Russ Allbery wrote: (If you use Firefox, you don't have to actually be a member of the domain; you can use a different mechanism for getting Kerberos tickets, such as NIM.) What is NIM? Ciao, Michael. Kerberos mailing list

Re: SSO

and the 200 response is less than 20 ms (or ~50 ms if the user is in a few hundred groups). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu

Re: SSO

Michael B Allen [EMAIL PROTECTED] wrote: On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote: And that is the scenario where direct SPNEGO / NTLMSSP solutions are going to perform better. If by better you mean pretty much the same, yes, modulo the configuration note that I

Re: SSO

it as trusted for delegation. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SSO

Michael B Allen [EMAIL PROTECTED] writes: On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote: If by better you mean pretty much the same, yes, modulo the configuration note that I mentioned. No, I definitely meant better. With direct SPNEGO we 401 the initial HTTP

SAP GUI with Kerberos 5, SAP Linux, SNC for SSO

Hi, I'm trying to configure SSO between SAP GUI 6.40 (Windows) and SAP 6.40 (Red Hat). I followed the instructions at http://help.sap.com/saphelp_nw04s/helpdata/en/44/0ebf6c9b2b0d1ae1000a114a6b/content.htm (but used libgssapi_krb5.so instead of gsskrb5.dll) but I have a trouble: The checkbox

Re: SAP SSO: No Kerberos SSPI credentials available for requested name

[EMAIL PROTECTED] wrote: SAP Support says, that the guys at MIT have successfully implemented such a scenario One of my customers also successfully installed that. I wasn't involved in that though. With this particular error message I'd examine two things: 1. DNS A and PTR RRs for all

Re: SAP SSO: No Kerberos SSPI credentials available for requested name

[EMAIL PROTECTED] wrote: On 9 Jun., 10:17, Michael Ströder [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: SAP Support says, that the guys at MIT have successfully implemented such a scenario One of my customers also successfully installed that. I wasn't involved in that though. With

SAP SSO: No Kerberos SSPI credentials available for requested name

KB885887 could'nt be a factor, because SP3 already includes it. We've installed the SAP SSO Kerberos solution using Calin Barbat's fine instruction posting on this list. In this posting he mentions, that for him Kerberos SSO also doesn't work all the time. With no specifics. SSO works initially every

Re: SAP SSO: No Kerberos SSPI credentials available for requested name

On 9 Jun., 10:17, Michael Ströder [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: SAP Support says, that the guys at MIT have successfully implemented such a scenario One of my customers also successfully installed that. I wasn't involved in that though. With this particular error

Re: support SSO in Windows with Keberos TGT

. Danny Date: Fri, 22 Feb 2008 18:14:24 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; kerberos@mit.edu Subject: Re: support SSO in Windows with Keberos TGT sylvain cortes wrote

RE: support SSO in Windows with Keberos TGT

as you said for keeping the time in synch... but tilme issues can provide some stange behaviour with kerberos.Sylvain CORTES [EMAIL PROTECTED] Date: Fri, 22 Feb 2008 18:14:24 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; kerberos@mit.edu Subject: Re: support SSO

Re: support SSO in Windows with Keberos TGT

sylvain cortes wrote: hi - you always can do everything...it's a question about time ;-) I did the classic way before using centrify, and it was hell to maintain: manage the keytab, manage the ad account, manage the NTP client to have the right ticket session, etc... Sorry but NTP doesn't use

RE: support SSO in Windows with Keberos TGT

: Re: support SSO in Windows with Keberos TGT sylvain cortes wrote: it's managed by the centrify client deployed on the Unix/Linux host You do understand that the issue here is how to use applications written to use KFW and applications written to use Kerberos SSP on the Windows platform

Re: support SSO in Windows with Keberos TGT

sylvain cortes [EMAIL PROTECTED] wrote: So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine with the Centrofy client, without any re-authentication. And Unix to Windows, or Unix to Unix works also in the same way. You can do that without paying

RE: support SSO in Windows with Keberos TGT

PROTECTED] To: [EMAIL PROTECTED] CC: kerberos@mit.edu Subject: Re: support SSO in Windows with Keberos TGT Date: Tue, 19 Feb 2008 13:08:22 -0600 sylvain cortes [EMAIL PROTECTED] wrote: So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine

Re: support SSO in Windows with Keberos TGT

suggesting that the user switch from Windows based clients to UNIX/Linux based clients as a solution to his SSO issues on Windows? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https

RE: support SSO in Windows with Keberos TGT

it's managed by the centrify client deployed on the Unix/Linux hostSylvain CORTES [EMAIL PROTECTED] Date: Wed, 13 Feb 2008 18:46:17 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: kerberos@mit.edu Subject: Re: support SSO in Windows with Keberos TGT Sylvain - MVP GPOs wrote: Hi

Re: support SSO in Windows with Keberos TGT

Sylvain - MVP GPOs wrote: Hi, perharps you can have a look on www.centrify.com which provide a interop SSO between Windows/Unix/linux based on Kerberos... sylvain How would that solve the need a single credential cache problem that this thread is discussing? smime.p7s Description: S

Re: sso problems

hello folks, i have gone through the mail archive for suggestions but i can't seem to make headway. i am not sure what i am missing. am i supposed to export contents of krb5.keytab and copy them to the client systems? i can't even log on to the kerb server. the ssh session just drops to

sso problems

hello folks, i have gone through the mail archive for suggestions but i can't seem to make headway. i am not sure what i am missing. am i supposed to export contents of krb5.keytab and copy them to the client systems? i can't even log on to the kerb server. the ssh session just drops to the

Re: Fw: SSO with telnet/rlogin/rsh

Dodin/Haifa/[EMAIL PROTECTED] Subject 01/15/2008 06:05 Re: Fw: SSO with telnet/rlogin/rsh PM

Re: support SSO in Windows with Keberos TGT

to be written. How we can support SSO with Kerberos TGT. how all other products is able to do this. What do you mean by other products? They are maintaining their own clients for supporting SSO? What do you mean by maintaining their own clients? Here my problem is all client

Re: support SSO in Windows with Keberos TGT

Hi, Using Mit Kerberos how can I support SSO? You can obtain your tickets during the windows logon process from your domain controller and then access them from KFW aware applications by setting the default ccache to MSLSA: or by permitting Network Identity Manager to synchronize the MSLSA

Re: support SSO in Windows with Keberos TGT

Eswar S wrote: Hi, Using Mit Kerberos how can I support SSO? You can obtain your tickets during the windows logon process from your domain controller and then access them from KFW aware applications by setting the default ccache to MSLSA: or by permitting Network Identity Manager

support SSO in Windows with Keberos TGT

Hi, Using Mit Kerberos how can I support SSO? Is it possible to update Microsoft cache? How can I make other kerberised application to use cache file which is generated by my application. I mean when I got credentials (TGT) from KDC, I will store to cache file. I will set it as default cache

Re: Kerberos SSO with SAP ERP (AIX) and SAP GUI

to, is indeed SAP certified. But depending on your implementation scenario and the user's main access point: you might want to think about implementing SSO via SAP Enterprise Portal. This is a very robust solution that requires no additional software license. Best Regards, Eric Labiner SAP NetWeaver

Kerberos SSO with SAP ERP (AIX) and SAP GUI

SSO into that application server running on AIX. Any help is greatly appreciated! Best Regards, Rick Taylor OGE Energy Corp. SAP / Database Administrator phone: (405) 553-2426 Mobile: (405) 623-7537 Kerberos mailing list Kerberos

RE: Kerberos SSO with SAP ERP (AIX) and SAP GUI

- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Taylor, Richard Sent: 17 January 2008 17:14 To: kerberos@mit.edu Subject: Kerberos SSO with SAP ERP (AIX) and SAP GUI Hi, If possible, please point me to some successful documentation where Kerberos V is used to setup Single Sign

RE: SSO with telnet/rlogin/rsh

] On Behalf Of Ido Levy Sent: Tuesday, January 15, 2008 3:53 PM To: kerberos@mit.edu Cc: Olga Dodin Subject: Fw: SSO with telnet/rlogin/rsh We did a dipper investigation of this issue and found out that the difference between sshd and telnetd is in the user credential cache file name. While ssh

Fw: SSO with telnet/rlogin/rsh

Subject SSO with telnet/rlogin/rsh

Re: Fw: SSO with telnet/rlogin/rsh

SSO with telnet/rlogin/rsh Hello, I am trying to set up SSO in a Linux environment which has the following components up and running:. Kerberos 5 LDAP Kerberized NFSv4 ( security flavor krb5 ) Automount When using ssh everything works fine, tickets

Re: Fw: SSO with telnet/rlogin/rsh

Douglas E. Engert [EMAIL PROTECTED] writes: From a Kerberos prospective both could be correct. Using the process ID as part of the cache name allows for session based credentials, so each telnet session has its own cache. telnetd should include both the UID and the PID in the cache name.

Re: Fw: SSO with telnet/rlogin/rsh

Ken Hornstein wrote: telnetd should include both the UID and the PID in the cache name. This works much more smoothly with rpc.gssd and is what I do in pam-krb5. In a perfect world, we'd chuck the whole horrid scheme and create some utility to send the Kerberos credentials to rpc.gssd or

Re: Fw: SSO with telnet/rlogin/rsh

That is what DCE did. The PAG number was part of the cache name in a well know location. I don't want the cache in a well known location. I want to tell the OS or some utility, Hey, here's my TGT, or perhaps even, Talk to me on this socket/port/door to get a ticket for a service. --Ken

Re: Fw: SSO with telnet/rlogin/rsh

Douglas E. Engert [EMAIL PROTECTED] writes: OK that works too. But I thought the main problem as stated in the note was that the rpc.gssd could not read the environment of the process, and thus alway defaulted to using the default ticket cache. This is the same set if issues I have with Nico

Re: Fw: SSO with telnet/rlogin/rsh

Ken Hornstein [EMAIL PROTECTED] writes: telnetd should include both the UID and the PID in the cache name. This works much more smoothly with rpc.gssd and is what I do in pam-krb5. In a perfect world, we'd chuck the whole horrid scheme and create some utility to send the Kerberos

Re: Fw: SSO with telnet/rlogin/rsh

Ken Hornstein wrote: That is what DCE did. The PAG number was part of the cache name in a well know location. I don't want the cache in a well known location. I want to tell the OS or some utility, Hey, here's my TGT, or perhaps even, Talk to me on this socket/port/door to get a ticket

Re: Fw: SSO with telnet/rlogin/rsh

I think AFS uses the correct model. Credentials are really an attribute of the user and for the best security should be tracked by the kernel like any other security attribute of the user (UID, GID, supplemental groups, capabilities, etc.). But that gets into really nasty cross-platform issues,

Re: Fw: SSO with telnet/rlogin/rsh

On Jan 15, 2008 3:19 PM, Douglas E. Engert [EMAIL PROTECTED] wrote: Ken Hornstein wrote: That is what DCE did. The PAG number was part of the cache name in a well know location. I don't want the cache in a well known location. I want to tell the OS or some utility, Hey, here's my

SSO with telnet/rlogin/rsh

Hello, I am trying to set up SSO in a Linux environment which has the following components up and running: Kerberos 5 LDAP Kerberized NFSv4 ( security flavor krb5 ) Automount When using ssh everything works fine, tickets ( for both user and nfs ) are forward and when

SSO implementation for SAP running on Solaris 10

Hi I'm in the process of implementing SSO for SAP systems. The systems in the landscape include DEV-QA-PRD and some sandbox also. We want to achieve Desktop SSO so that users are not asked to re-enter access credentials (password, username). Once an user signs in one of the systems

RE: SSO implementation for SAP running on Solaris 10

Senthil, Can I ask why you don't want to use any 3rd party tools to implement SSO with your SAP systems ? Anyway, you might want to check http://www.cybersafe.com/d2 then click on the link provided, and watch the flash videos to see how to setup SSO with SAP GUI. Thanks, Tim -Original

Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

data. Click to get it now. http://sourceforge.net/powerbar/db2/ Markus [EMAIL PROTECTED] wrote in messagenews:[EMAIL PROTECTED] You can get rid of the loginbox by setting the option KrbMethodK5Passwd to off in your Kerberos configuration (I would recomment this, because this is the SSO you

Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

hi, currently we had a heavy problem with our SSO configuration. u can see in subject which configuration we have. its a apache2 with kerberos modules and the users are in an MS active directory. everything works rather fine. but some of the users get a login message dialog box few times a day

Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

@mit.edu Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users hi, currently we had a heavy problem with our SSO configuration. u can see in subject which configuration we have. its a apache2 with kerberos modules and the users are in an MS active directory

Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

, Florian Original-Nachricht Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST) Von: palm [EMAIL PROTECTED] An: kerberos@mit.edu Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users hi, currently we had a heavy problem with our SSO

Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

thanks guys !! @florian i do all this things allready ... browser are configured fine for kerberos @nikhil i check all the tickets and there seems to be everything okay but the login box pop's up ?!?! i dont know why and im still searching

Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

You can get rid of the loginbox by setting the option KrbMethodK5Passwd to off in your Kerberos configuration (I would recomment this, because this is the SSO you want). But if you do this people will get Access denied instead of the loginbox if Kerberos is not working. Regards, Florian

  1   2   3   >