In an environment where eDirectory and Kerberos deployments co-exist, there is a need for single sign-on. To support this, the NMAS Kerberos LCM provides a feature to populate the MIT client's credential cache with the acquired Kerberos credentials.
After the eDirectory login, run the novl2mit utility to populate the MIT credential cache.
The Novell credential cache must be retained to populate the MIT credential cache. If you haven't selected Retain the Novell Credential Cache option during installation, enable it by editing the registry entry CacheTickets under hkey_local_machine\software\novell\kerberos\1.0\krb5-config to 1 (enable). The novl2mit utility deletes the Novell credential cache after populating the MIT credential cache.
This will allow the other Kerberized applications working with MIT Kerberos client to make use of this TGT for further operations, thereby providing a single sign-on to the user.
If you use the FILE cache option for MIT cache, the novl2mit utility needs Write permissions to the file cache to populate it. You must grant Write permissions to the user because the novl2mit utility runs as a user process.
To populate the MIT cache, MIT libraries (kfw 2.1 or later for Windows) must be installed on the client machines. For more information, refer to the MIT Kerberos Distribution page.
If you do not want to populate the MIT credential cache, disable this option by editing the registry entry CacheTickets under hkey_local_machine\software\novell\kerberos\1.0\krb5-config to 0 (disable).
The novl2mit utility populates only the Ticket Granting Tickets (TGT) to the MIT cache. This utility can be run as part of the start up program or login script. To run it as part of the login script program, you must first add it to the login script.
To add the novl2mit utility to the login script:
Log in to eDirectory.
Right-click the N from the taskbar, then click User Administration for Tree > Edit Login Script.
Add @novl2mit to the login script.
Click OK.
Unlike the MIT Kerberos client, the Microsoft* implementation of the Kerberos client does not provide any functions to populate its credential cache. Also, Microsoft applications might not be able to provide the necessary functionality using the tickets acquired from MIT or other KDCs.
The NMAS Kerberos LCM has a configurable option to work with the Microsoft client cache to provide a single sign-on in a mixed environment with Microsoft Kerberized applications.
The NMAS Kerberos LCM retrieves the ticket from Microsoft Kerberos Client Cache and logs in to eDirectory. The Microsoft Cache is typically available to a machine when the machine is part of the Active Directory* domain, and a domain user logs in to the machine.
For example, create a user novledir in the Active Directory. Extract the key of this principal using ktpass.exe. (This utility is part of the Windows 2000 installation and can be installed from the \support\tools\setup.exe of the Windows 2000 installation CD.)
In order to set the password and extract the key, execute the following command:
ktpass -princ novledir/MYTREE@MYREALM -mapuser novledirMYTREE -pass mypassword -out MYTREE.keytab
where MYTREE is the eDirectory tree name, MYREALM is the Windows 2000 domain name, my-password is the password for the service principal, and my-keytab-file is the keytab file where the key of the service principal is extracted.
Add this Windows 2000 domain realm to eDirectory with the keytab (extracted in the above step) and set Active Directory as the KDC for the realm by following the procedure listed in the Kerberos Login Method for NMAS Quick Start Card.
On Windows 2000 or later, the Novell Client 4.9 or later must be installed. This machine should be part of the Active Directory domain.
The Windows Login must be set as default before using the Kerberos Login Method for NMAS with MS cache support. This can be done by the following method:
Double-click the ChangeDefaultLogin.exe from extracted_folder/NMAS_Kerberos_Method_10/Novell/Kerberos/MS Cache Utility, where extracted_folder is the directory where you extracted the NMAS_Kerberos_Method_10.zip.
This will check for the Novell Client version.
Based on the default login, do one of the following:
For every user in the AD domain, there is a corresponding Kerberos principal associated for the user. You must associate the Kerberos principal for the domain user to the eDirectory user you want to log in with. For more information, refer to the Kerberos Login Method for NMAS Quick Start Card.
NOTE: The kerberos principal names are case-sensitive. You must use the exact case reported in the AD administration tools.
Log in to the machine as the domain user.
Right-click the N from the taskbar to initiate the Novell Login.
Specify the eDirectory user that is associated with this domain user, then click OK.
The Login using the MS ticket will go through without prompting for the password.
(Conditional) If multiple principals are associated for the same eDirectory user, choose the principal with which you logged in. If you choose other principals, you will be prompted for the password.