Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
43
votes
5 answers

Why use Kerberos instead of NTLM in IIS?

This is something that I've never really been able to answer as well as I like: What is the real advantage of using Kerberos authentication in IIS instead of NTLM? I've seen a lot of people really struggle to get it set up (myself included) and I…
Infotekka
  • 545
  • 1
  • 5
  • 6
39
votes
2 answers

Can someone please explain Windows Service Principle Names (SPNs) without oversimplifying?

I have wrestled with service principle names a few times now and the Microsoft explanation is just not sufficient. I am configuring an IIS application to work on our domain and it looks like some of my issues are related to my need to configure http…
29
votes
2 answers

What is SASL/GSSAPI?

Numerous times i have met the expression SASL/GSSAPI. I have searched Google many times, but i simply do no understand what it is and how it relate to Kerberos. Anybody that have a simple explanation on this?
NT332
24
votes
2 answers

Authenticating OpenBSD against Active Directory

Edit: Reformatted this as Q&A. If anyone can change this from Community Wiki to a typical question, that's probably more appropriate as well. How can I authenticate OpenBSD against Active Directory?
sh-beta
  • 6,756
  • 7
  • 46
  • 65
22
votes
3 answers

How does Kerberos work with SSH?

Suppose I have four computers, Laptop, Server1, Server2, Kerberos server: I log in using PuTTY or SSH from L to S1, giving my username / password From S1 I then SSH to S2. No password is needed as Kerberos authenticates me Describe all the…
PhilR
  • 483
  • 1
  • 4
  • 14
21
votes
6 answers

How do I get /dev/random to work on an Ubuntu virtual machine?

Apparently, /dev/random is based on hardware interrupts or similar unpredictable aspects of physical hardware. Since virtual machines don't have physical hardware, running cat /dev/random within a virtual machine produces nothing. I'm using Ubuntu…
Nick
  • 4,433
  • 29
  • 67
  • 95
20
votes
2 answers

The Story of secure user-authentication in squid

once upon a time, there was a beautiful warm virtual-jungle in south america, and a squid server lived there. here is an perceptual image of the network: | | …
Isaac
  • 581
  • 1
  • 12
  • 25
18
votes
1 answer

IPA vs just LDAP for Linux boxes - looking for a comparison

There are few (~30) Linux (RHEL) boxes and I'm looking for centralized and easy managed solution, mostly for control user accounts. I'm familiar with LDAP, and I deployed a pilot of IPA ver2 from Red Hat (==FreeIPA). I understand that in theory IPA…
17
votes
8 answers

How do you find out if Active Directory is using Kerberos or NTLM?

Is there a command line program you can use?
LeWoody
  • 299
  • 1
  • 2
  • 8
15
votes
3 answers

Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP

This is something I setup recently and was quite a big pain. My environment was getting squid to authenticate a Windows 7 client against a Windows 2008 Server invisibly. NTLM is not really an option, as using it requires a registry change on each…
Harley
  • 2,177
  • 6
  • 25
  • 29
15
votes
2 answers

Why don't Active Directory user accounts automatically support Kerberos AES authentication?

I'm playing around with a test domain on Windows Server 2012 R2. I'm operating at the highest possible functional level and have no backwards-compatibility issues in my small test environment. However, I've realized that despite the fact that I have…
15
votes
4 answers

Linux Central Authentication/Authorization Methods

I have a small but growing network of Linux servers. Ideally I'd like a central place to control User Access, change passwords, etc... I've read a lot about LDAP servers, but I'm still confused about choosing the best authentication method. Is…
Chris McBride
  • 151
  • 1
  • 1
  • 3
15
votes
9 answers

Kinit Won't Connect to a Domain Server : Realm not local to KDC while getting initial credentials

I am setting up a testbed environment where Linux (Ubuntu 10.04) clients will authenticate to a Windows Server 2008 R2 Domain Server. I am following the official Ubuntu guide to set up a Kerberos client here:…
Phanto
  • 851
  • 5
  • 16
  • 24
14
votes
5 answers

Kerberos Authentication for workstations not on domain

I have a base understanding of how Kerberos works in an Active Directory environment and the methods it uses to authenticate users and workstations onto the network, but my question is.. since Kerberos relies on issuing a security token that the end…
Eric
  • 145
  • 1
  • 1
  • 4
13
votes
1 answer

Why is MS SQL Server Using NTLM Authentication?

Windows Server 2008 R2. SQL Server 2008 R2 installed. MSSQL Service runs as Local System. Server FQDN is SQL01.domain.com. SQL01 is joined to an Active Directory domain named domain.com. The following is the output of setspn: C:\> setspn -L…
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
1
2 3
75 76