Authenticating Windows 7 against MIT Kerberos 5

I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server).

I've done the following on the server (aka dc1):

  • Installed and configured a NTP time server
  • Installed and configured DHCP and DNS (setup for the domain tnet.loc)
  • Installed Kerberos from source
  • Setup the database
  • Configured the keytab
  • Setup the ACL file with: *@TNET.LOC *
  • Added a policy for my user and my machine:
addpol users
addpol admin
addpol hosts
ank -policy users [email protected]
ank -policy admin tom/[email protected]
ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE

I then did the following to the windows 7 client (aka wdesk3):

  • Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok
  • Set the internet time server to my linux server (aka dc1.tnet.loc)
  • Used ksetup to configure the realm:
ksetup /SetRealm TNET.LOC
ksetup /AddKdc dc1.tnet.loc
ksetip /SetComputerPassword MYPASSWORDHERE
ksetip /MapUser * *
  • After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos
  • Then I rebooted the windows client

However after doing all that I still cannot login from my Windows client. :(

Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid".

The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login): Screen-shot: http://dl.dropbox.com/u/577250/email/login_attempt.png

If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?)

If I try: runas /netonly /user:[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:[email protected] cmd.exe I get the same authentication error.

Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?


Check out pGina. It doesn't have a Kerberos plugin, so you'll have to write one. Alternatively you can use OpenLDAP as a proxy and use the pGina LDAP plugin.


Apparently AD is absolutely required if you have Windows clients as the Windows clients require a small extension to the standard Kerberos ticket which AD appends.

MIT Kerberos Server cannot authenticate Windows clients on it's own at this time.

(Information retrieved on the MIT Kerberos Newsgroup)