Kerberos For Windows
Kerberos For Windows 3.2.x
Kerberos tickets can provide authentication to a number of services, such as CSAIL OIDC, SSH, AFS, SAPGui, and others.
Client Installer
- Download the Kerberos for Windows 64-bit installer
- Download the Kerberos for Windows 32-bit installer
As of this comment (10 Dec 2012) MIT has released MIT Kerberos for Windows 4.x. This release of Kerberos does not contain an AFS plugin, and therefore will not automatically obtain AFS tokens. We are currently not recommending the installation or use of MIT Kerberos for Windows 4 until proper AFS support.
Kerberos Installation Instructions:
Contents
The contents of this .zip file contains a custom CSAIL kfw-3-2-x.msi package, as well as custom CSAIL:
- krb5.ini
- krb.con
- krbrealm.con
The custom .msi package is intended for CSAIL members wishing to install Network Identity Manager with the proper CSAIL environment and realm variables set. Running the .msi will install Kerberos for Windows (Network Identity Manager) as well as copying krb5.ini, krb.con, krbrealm.con to your c:\ (usually c:\windows) directory. If you have a previous version of KfW installed, it will not overwrite the existing copying krb5.ini, krb.con, krbrealm.con files.
Installation:
- Before installation, it is necessary you uninstall any previous KfW versions.
- Unzip the CSAIL_krb.zip package
- Run the kfw-3-2-x.msi installer(s)
- For 64-bit Windows operating systems, first install 64-bit Kerberos. Then install 32-bit Kerberos on top of 64-bit Kerberos, only after verifying that 64-bit Kerberos is working.
- Click next, accept the License Agreement, click next.
- Choose ‘Typical’ for Setup Type, click install, click finish.
Usage
- Launch the Network Identity Manager
-Start-Programs-Kerberos for Windows-Network Identity Manager
- Click on the ‘Obtain New Credentials’ button highlighted below
- Enter you CSAIL username, choose CSAIL.MIT.EDU as your domain, and password. When you have successfully entered your username and password, Network Identity Manager will automatically create a new identity for you (unless you have one already.)
General tips:
- Make sure you have non-expired Kerberos tickets before connecting (check using Network Identity Manager).
- If you want to use CSAIL Kerberos tickets to connect to ATHENA hosts (or vice versa), see [CrossCellHowto]
MIT Kerberos and OpenAFS for Windows issues
When getting Kerberos tickets using MIT Kerberos Leash Manager you get error saying “Ticket Initialization failed. Clock skew too great”
This error is usually due to large difference between the time stamp stored in your kerberos ticket and the network servers on the internet. The difference can be as small as three minutes in order to cause trouble. You need to change your computer’s clock settings to reflect the actual time on the network time servers. Before changing the time shutdown all applications that require kerberos tickets. We also recommend to synchronize time to time.mit.edu using Leash Manager.