information technology central services at the university of michigan WednesdayJanuary072009
University of Michiganitcs home
search itcs
find a person or group at U-M
Novell at University of Michigan
LNGS Home
Novell Home
ITCS Services
eDirectory
Schema Extensions
eDir Upgrade Procedure
Kerberos Login Method
OES - Netware/Linux
SuSE
How-To
ZENworks
Training
Licenses
Help
Kerberos in the Michigan Tree

Last Updated: August 02, 2004

The Novell NMAS Kerberos Login Method enables a user to authenticate to eDirectory using Kerberos Tickets.  Our implementation utilizes the existing MIT Kerberos V system on campus (the UMICH.EDU realm.)  The integration of this solution into the Michigan Tree allows units to offer services to someone on campus without them needing to remember another password.  This should allow the unit to offer services to a larger subset of the population.

Click here for a list of currently reported problems.

Configuring a User for Kerberos Authentication

Using ConsoleOne:

  1. Right-click the eDirectory user, then select Extensions of this Object.
  2. Click Add Extension.
  3. Select krbForeignPrincipalAux from the list and click OK.
  4. When the generic editing window comes up, click OK.
  5. Enter the name of the Kerberos principal that you would like to associate the eDirectory user to. (the users uniqname)
  6. Enter the foreign principal name with the Realm name specified in Step 3e (for example, uniqname@UMICH.EDU) in the Foreign Principal Name attribute.
  7. Click OK, then click Close.
  8. Double click on the user to open the properties dialog and click on the Other tab.
  9. If you do not see uniqueID in the list of attributes, click add, choose it from the list, and give it a value equal to the eDirectory user name.

Using iManager:

  1. Refer to the Kerberos Login Method for NMAS Quick Start Guide on the NetWare volume for installing the Kerberos LDAP Extenstion and installing the iManager Plug-in for NMAS Kerberos.
    (\\itd-nw1\netware\NMAS\Kerberos Login Method\NMAS_Kerberos_Method_10\Novell\Kerberos\docs\nmaskrb_quickstart\)

There a number of ways to automate this process for a large number of users.  If you will be enabling large numbers of users for Kerberos Authentication, please contact netware.support@umich.edu if you would like help automating this.

Configuring a workstation for Kerberos Authentication

In order to use this login method, you will need to have a Windows workstation with Client32.  We would recommend using the latest version of client32.

Client32 versions 4.9 and 3.4 include the NMAS client.  If you are using a version of Client32 prior to 4.9 or 3.4, the NMAS client will need to be installed on the workstation.  This can be found on the NetWare volume in the Clients\NMAS\clientsetup\Disk1 directory.  Run setup.exe from there.

  1. After executing setup.exe, click next on the welcome screen and yes on the license agreement screen.
  2. We are not using the Disconnected Login feature, but you are welcome to give it a try and tell us how it works.  Choose and click next.
  3. Click Finish and reboot.
  4. Upon reboot, you may notice a different Novell login screen, one without a password box.
  5. Be sure that NDS is the chosen sequence on the NMAS tab and press OK, you will be prompted for your password.

Once the NMAS client is installed, it's time to install the Kerberos Login Method.  This can be found on the NetWare volume in the NMAS\Kerberos Login Method\NMAS_Kerberos_Method_10\Novell\Kerberos\client directory.  Run clientsetup.exe from there.

  1. Execut clientsetup.exeand follow the prompts.
  2. If you will be populating the MIT Ticket Cache, choose to retain Novell Credential Cache.
  3. Click Finish. 

Logging in Using the Kerberos Authentication

Setting up the properties for a Kerberos login can be done at the time of login, or before hand by editing the, or creating a new, location profile through the Novell Client Properties page.

On the Login screen, you will need to click the Advanced button, select the NMAS tab and choose the Kerberos sequence.

Currently Reported Problems

  1. Removing the Kerberos Login Method client does not remove the associated registry keys.
  2. The method currently does not work across NAT.
  3. Locking and unlocking the workstation does not refresh MIT Credential Cache.

To offer constructive criticism, or provide other feedback about our site, click here.

ITCS
Information Technology Central Services at the University of Michigan