Set up a Windows 10 Client for a Linux KDC Realm

Question

I set up a KDC Server and created a Realm EXAMPLE.COM. Here is my krb5.conf file:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  EXAMPLE.COM = {
    admin_server = my.linux-server.de
    kdc = my.linux-server.de
  }

I also added a user testuser with password abc via kadmin.local:

kadmin.local:  addprinc testuser@EXAMPLE.COM

I can successfully log in on my Ubuntu VM:

[root@ubuntu-vm ~]# kinit testuser
Password for testuser@EXAMPLE.COM:

Then klist shows:

[root@ubuntu-vm ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@EXAMPLE.COM

Valid starting       Expires              Service principal
01.12.2016 14:58:40  02.12.2016 14:58:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM

and I can open my Kererized Hadoop UI.

========================================================================

Problem makes my Windows client. I set it up by copying the krb5.conf file from the KDC machine to the Windows client and renamed it to kdc5.ini.

I also set the computer's domain:

C:> Ksetup /setdomain EXAMPLE.COM

After a restart I tried to connect to my KDC Realm via

C:> kinit testuser@EXAMPLE.COM
Password for testuser@EXAMPLE.COM:
<empty row>

Everything looked fine so far, but when I call klist I get only the following result:

Aktuelle Anmelde-ID ist 0:0x7eca34

Zwischengespeicherte Tickets: (0)

In English something like ... cached tickets: (0)

I'm also unable to open my website on the Windows client, so I guess that there's an interoperability issue as I didn't have any problems connection via my Ubuntu client.

My browser (Firefox) should be correctly configured on both machines (Ubuntu & Windows), I set the network.negotiate-auth.trusted-uris property to http://my.linux-server.de (since I did this, the Ubuntu client can open the site). Curl also works for Ubuntu, but don't for Windows.

UPDATE: Also tried a second Windows client without any success...

Answer 1

Finally I got it working! I made the following steps on a Windows 7 (64-bit) machine, should also work on Windows 10:

1. Install the MIT Kerberos from here. I took the actual Windows Version which is MIT Kerberos for Windows 4.1 and installed it with default settings.
2. Open the file C:\ProgramData\MIT\Kerberos\krb5.ini and insert following settings:

New content of the file:

[libdefaults]
  default_realm = EXAMPLE.COM

[realms]
  EXAMPLE.COM = {
    admin_server = your.admin.server.de
    kdc = your.kdc.server.de
  }

3. Download and install actual Firefox Browser
4. Type about:config in the address bar of the Firefox browser and set the following parameters:

Parameter = Value pairs:

network.negotiate-auth.delegation-uris = http://your.kdc.server.de

network.negotiate-auth.trusted-uris = http://your.kdc.server.de

network.auth.use-sspi = false

5. Restart your PC

6. Use the MIT Kerberos Ticket Manager to obtain a new ticket for your user:

7. You should see your ticket in the manager:

   8 . Now you should be able to open the web-page that needs authentication: