[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal client for Windows



On Sun, 28 Jan 2007 19:51:20 +0100
Stefan Gohmann <gohmann@univention.de> wrote:

> Hi Henry,
> 
> Am Freitag, 26. Januar 2007 20:22 schrieb Henry B. Hotz:
> > I had an exchange with Jeffrey Altman on MIT's krbdev list where I
> > worked through all the config items in Mozilla relatives to make a
> > Windows client use the Kerberos libraries in KfW.  You ought to be
> > able to find it with Google.  It works.
> 
> that's very nice.
> 
> > MS IE will always use the Microsoft kerberos implementation and the
> > tickets in the LSA.
> 
> Does that mean, it is not possible that the MS IE uses the ticket from the 
> Heimdal KDC? 

Not quite. IE could get a ticket from a Heimdal KDC but it would only
do so by going through the Local Security Authoriy (LSA). Meaning,
if you could run Heimdal client libs on a Windows client and the libs
used some kind of ccache file, IE would not be able to use it. The
Heimdal port would have use the credential cache associated with the
logon session. Meaning it would have to have some LSA code to store and
retrieve credentials (code that MIT has and could largely be copied).

Personally however I don't understand why someone would want to run
alternative Kerberos libraries on a Windows client. Unless perhaps you're
porting some *nix software that uses the MIT/Heimdal API maybe.

Mike

> Cheers
> Stefan
> 
> > On Jan 21, 2007, at 10:11 PM, Stefan Gohmann wrote:
> > > Am Sonntag, 14. Januar 2007 01:08 schrieb Phil Pennock:
> > >> Myself, I don't have our Windows laptop use Kerberos to sign-in;
> > >> instead, I want it to be able to get Kerberos credentials after
> > >> sign-in
> > >> before access services.  For that, I use MIT Kerberos for Windows,
> > >> which
> > >> I can confirm works on XP Home and XP Pro with a Heimdal KDC
> > >> (server).
> > >> It works with Firefox and Thunderbird, with appropriate about:config
> > >> tinkering, and with Mulberry (another free mail client).
> > >
> > > Is it possible, that the internet explorer also use these ticket?
> > >
> > > Cheers
> > > Stefan
> > >
> > > --
> > > Stefan Gohmann         Entwicklung              gohmann@univention.de
> > > Univention GmbH        Linux for your Business  fon: +49 421 22 232- 0
> > > Mary-Somerville-Str.1  28359 Bremen             fax: +49 421 22 232-99
> > >                        http://www.univention.de
> >
> > ------------------------------------------------------------------------
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> -- 
> Stefan Gohmann         Entwicklung              gohmann@univention.de
> Univention GmbH        Linux for your Business  fon: +49 421 22 232- 0
> Mary-Somerville-Str.1  28359 Bremen             fax: +49 421 22 232-99
>                        http://www.univention.de
> 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/