Hello Claude,
Claude> I want to build a SSO between Windows 2000 and my J2EE application. My Java
Claude> clients connect to WLS 8.1 running on Solaris.
Claude> I would like to use the Windows 2000 KDC and I have no KDC on UNIX.
Claude> 1) Is it correct to implement this using JAAS and the GSS-AP
Hi
I want to build a SSO between Windows 2000 and my J2EE application. My Java
clients connect to WLS 8.1 running on Solaris.
I would like to use the Windows 2000 KDC and I have no KDC on UNIX.
1) Is it correct to implement this using JAAS and the GSS-API?
2) What configuration do I need to do t
encrypted
session.
---
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Date: Mon, 27 Oct 2003 09:38:16 -0500
>Thread-Topic: having difficulty setting up a linux client with Win2k KDC
>T
in /etc/inetd.conf were a little screwey.
-Original Message-
From: Peter J. Bertoncini <[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED]
Sent: Monday, October 27, 2003 11:16 AM
To: [EMAIL PROTECTED]; Mehta, Rohit
Subject: Re: having difficulty setting up a linux client with Win2k KDC
October 2003 14:38
To: [EMAIL PROTECTED]
Subject: having difficulty setting up a linux client with Win2k KDC
Hi guys, I am fairly new to kerberos and I would like to set up Linux clients to use a
Win2k KDC. We have an active directory, and I have a Debian (Woody) system with the
following
Hi guys, I am fairly new to kerberos and I would like to set up Linux clients
to use a Win2k KDC. We have an active directory, and I have a Debian (Woody)
system with the following packages installed:
afs-test:/home/ro# dpkg -l |grep krb5
ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master
preetam R <[EMAIL PROTECTED]> wrote:
>I have a win2k server with sp3, configured with AD.
> I am trying to use MIT's kinit (1.2.5)against this
> kdc. I get an error "KDC reply did not match
> expectations while getting initial credentials".
I had case-sensitivity problems with this. Once I r
Hi,
I have a win2k server with sp3, configured with AD.
I am trying to use MIT's kinit (1.2.5)against this
kdc. I get an error "KDC reply did not match
expectations while getting initial credentials".
Has anyone faced a similar problem? If it is a
known issue, what is the problem?
Thanks,
Hello,
I apologize in advance for this newbie question but I've done a bunch of
searching and cannot find the solution to my problem.
I am trying to run auth to a win2k kdc via 'kinit administrator@REALM' but
keep getting a 'kinit: KDC reply did not match expectations w
Hello,
I try to set up a DCE 2.2 KDC <-> windows 2000 KDC trust-relationship
but there are still some problems.
When I use an MIT KDC everything works fine and I can log on with
my win2k workstation via the MIT KDC to the win2k DC.
I have used a network-sniffer (ethereal) to investigate the
Ke
Hi all,
I am calling some GSSAPI function on a solaris machine, While KDC is
running on Windows2k .
The name of the functions that i am using are listed below
gss_init_sec_context
gss_accept_sec_context
gss_acquire_cred
All a
ssly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
> -Original Message-
> From: Adam Bentley [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 11:01 AM
> To: [EMAIL PROTECTED]
> Subject: Logging Mic
I was wondering if anyone had tried enabling logging on the KDC on
Windows 2000. Microsoft say a registry entry of,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
and a reboot should enable it. However
-
> From: Dave Snoopy [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 13, 2002 12:09 PM
> To: [EMAIL PROTECTED]
> Subject: using kinit with a Win2k KDC
>
> Hi All,
>
> I am using MIT Kerberos 5, and its tool "kinit", to
> try and get a TGT from a Win2k KDC (which
e
of this it is just like an "upgrade" even though the domain is new.
-Original Message-
From: Dave Snoopy [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 12:09 PM
To: [EMAIL PROTECTED]
Subject: using kinit with a Win2k KDC
Hi All,
I am using MIT Kerberos 5, and its tool
Hi All,
I am using MIT Kerberos 5, and its tool "kinit", to
try and get a TGT from a Win2k KDC (which is also my
Primary Domain Controller).
My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to
get a ticket for any user which I create on Gem (e.g.
kinit [EMAIL PROTECTED]). I'
I've successfully used a Win2K KDC to obtain tickets and use them on a RedHat Linux
box. I followed the steps in the following article:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Check out the subsection toward the top of the article called "To con
Hello,
I have Windows 2000 Server with Domain setup here. I know that kerberos is
vital part of active directory in windows. It is possible to
authenticate Unix client
(like Linux) to windows based KDC? Some experiences, links are welcomed.
Thanks.
-David
_
> "Ganesh" == Ganesh <[EMAIL PROTECTED]> writes:
Ganesh> Hi, I have an environment where all the machines are
Ganesh> win2k. The KDC is setup correcltly on the PDC.
Ganesh> I would like to use MIT kerberos and GSSAPI for client
Ganesh> authentication. Is this possible? I re
Hi,
I have an environment where all the machines are win2k.
The KDC is setup correcltly on the PDC.
I would like to use MIT kerberos and GSSAPI for client
authentication. Is this possible? I read somewhere that the
client cannot use GSSAPI to communicate with the KDC,
because KDC on Win2k does n
On Tue, Jan 29, 2002 at 04:07:57PM -0600, Rick wrote:
> Under what circumstances would my host have a shared secret with the KDC?
> Note: I moved the keytab file to a directory not in my my path and I could
> still kinit the Win2k KDC. I'm still trying to figure out why MS sai
Jan 29, 2002 at 04:07:57PM -0600, Rick wrote:
> Under what circumstances would my host have a shared secret with the KDC?
> Note: I moved the keytab file to a directory not in my my path and I could
> still kinit the Win2k KDC. I'm still trying to figure out why MS said I
> need
Under what circumstances would my host have a shared secret with the KDC?
Note: I moved the keytab file to a directory not in my my path and I could
still kinit the Win2k KDC. I'm still trying to figure out why MS said I
need the keytab file on the unix host. Based on Sean's re
> From: Nicolas Williams [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 6:40 AM
[...]
> In an ActiveDirectory world every host needs a keytab.
AD does not mandate the use of a keytab. However, you need a keytab if
your host is going to have a shared secret with the KDC, just
On Mon, Jan 28, 2002 at 05:04:15PM -0800, Sean Chittenden wrote:
> > I followed the instructions in Microsoft's Step-by-Step guide to
> > Interoperability and can kinit from solaris using my Win2k KDC. But
> > I have a few questions.
> >
> > I have no kt
> I followed the instructions in Microsoft's Step-by-Step guide to
> Interoperability and can kinit from solaris using my Win2k KDC. But
> I have a few questions.
>
> I have no ktutil program on my client so I just copied the keytab
> file to the /etc directory. I don&#x
I followed the instructions in Microsoft's Step-by-Step guide to
Interoperability and can kinit from solaris using my Win2k KDC. But I have
a few questions.
I have no ktutil program on my client so I just copied the keytab file to
the /etc directory. I don't know if it's even
On Wed, Nov 21, 2001 at 11:23:18AM -0500, Tom Yu wrote:
> > "Will" == Will Fiveash <[EMAIL PROTECTED]> writes:
>
> Will> BTW, I have patched decrypt_as_reply() to do this check. Let me
> Will> know if you'd like me to send the patch in.
>
> Thanks. Please send this patch in bug report if y
> "Will" == Will Fiveash <[EMAIL PROTECTED]> writes:
Will> BTW, I have patched decrypt_as_reply() to do this check. Let me
Will> know if you'd like me to send the patch in.
Thanks. Please send this patch in bug report if you have the chance.
---Tom
On Tue, Nov 20, 2001 at 10:09:28AM -0500, Tom Yu wrote:
>
> If you have a malicious KDC, you have far worse problems. The (new
> for 1.2.3) KDC code should never issue a key of des-cbc-raw if it's
> not in the permitted_enctypes variable, which it should never be. The
> additional verification
> "Will" == Will Fiveash <[EMAIL PROTECTED]> writes:
Will> I do not see where the kerberos mech code verifies that
Will> as_reply->enc_part.enctype is one of the enctypes in the
Will> previous as_request. I'm thinking that a KDC, perhaps
Will> maliciously, could send an enctype like dec-cbc-
On Mon, Nov 19, 2001 at 12:32:20PM -0800, Will Fiveash wrote:
> I do not see where the kerberos mech code verifies that
> as_reply->enc_part.enctype is one of the enctypes in the previous
> as_request. I'm thinking that a KDC, perhaps maliciously, could send an
> enctype like dec-cbc-raw in as_re
Tom,
I was looking at your patch because I wanted a fix for similar problems
with the enctype and I have a security concern. In your patch you
coerce the enctype of the key found by the krb5_ktfile_get_entry() to
the enctype input parameter. Note that in decrypt_as_reply()
krb5_ktfile_get_entry
Sadly I'm in the UK so can't download the software from MIT... I'll attempt
to find a mirror of the beta.
Cheers,
Phil
-Original Message-
From: Tom Yu
To: Mayers, Philip J
Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Sent: 17/11/2001 01:30
Subjec
Hi... so we have been working on a fix for this problem. Basically,
the file keytab retrieves a key using enctype similarity, but doesn't
coerce the enctype to match the one requested by the caller. This
means that if you have a des-cbc-md5 key in the keytab, and your
application server tries to
John Brezak
Cc: Mayers, Philip J; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Win2K KDC and Bad Encryption Type
>>>>> "John" == John Brezak <[EMAIL PROTECTED]> writes:
John> Can we expect a "hotfix" for this problem for 1.2.2?
John> Micr
EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Re: Win2K KDC and Bad Encryption Type
>>>>> "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes:
>>>>> "Mayers," == Mayers, Philip J <[EMAIL PROTECTED]> writes:
Sam> Ma
> "John" == John Brezak <[EMAIL PROTECTED]> writes:
John> Can we expect a "hotfix" for this problem for 1.2.2?
John> Microsoft has run into this problem also in our
John> interoperability testing.
Probably not. We're in the middle of 1.2.3 betas. It may be that
some of the enct
> "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes:
> "Mayers," == Mayers, Philip J <[EMAIL PROTECTED]> writes:
Sam> Mayers,> Ok, to summarise: 1) GSSAPI always requests a
Sam> des-cbc-crc Mayers,> ticket for a service, ignoring the
Sam> configured values in Mayers,> the /e
> "Mayers," == Mayers, Philip J <[EMAIL PROTECTED]> writes:
Mayers,> Ok, to summarise: 1) GSSAPI always requests a des-cbc-crc
Mayers,> ticket for a service, ignoring the configured values in
Mayers,> the /etc/krb5.conf (or any other configuration) 2) Thus,
Mayers,> a des-cbc-
From: Sam Hartman [mailto:[EMAIL PROTECTED]]
Sent: 14 November 2001 00:28
To: Mayers, Philip J
Cc: '[EMAIL PROTECTED]'
Subject: Re: Win2K KDC and Bad Encryption Type
You really want to have the keytab populated with a des-cbc-crc ticket
not with a des-cbc-md5 ticket. This will be significan
You really want to have the keytab populated with a des-cbc-crc ticket
not with a des-cbc-md5 ticket. This will be significantly more
interoperable.
The GSSAPI mechanism requests des-cbc-crc explicitly overriding
tgs_enctypes. There was discussion of the reasons for that here and
on [EMAIL PROT
All,
I'm using the code recently written by Andrew Tridgell of the Samba project
- it does a SASL-enabled LDAP bind, adds your machine into the domain, sets
the machine account password and populates the keytab - very nice. I can now
join a machine into a Win2K domain completely client-side and i
anyone have experience configuring AIX 5L integrated logins to a
Windows 2000 KDC? Can it work?
-
44 matches
Mail list logo
