Use GSSAPI with X-Win32


While Kerberos is a standard protocol, there are currently two different implementations of the Kerberos client which are incompatible: MIT Kerberos client for Windows, and Microsoft Kerberos Client via Single Sign On. These protocols store the Kerberos tickets in different ticket caches which currently cannot communicate with each other. X-Win32 uses the Microsoft Single Sign On Client.

Instructions to configure your Windows machine to use Microsoft Single Sign On are as follows:

Configure the KDC (this will need to be done by a Kerberos administrator on a UNIX host

  1. kadmin
  2. addprinc -pw password -policy hosts -e des-cbc-crc:normal host/FQDNworkstation_name

Configure workstation (you must have administrator privileges to do this)

  1. Open a command prompt as an administrator
  2. Set realm: ksetup /SetRealm REALM.EXAMPLE.COM
  3. Set KDC: ksetup /AddKDC KDC.EXAMPLE.COM kdc.host.com
  4. Set the local machine password: ksetup /SetComputerPassword password (must match password above)
  5. Set up user mapping: ksetup /mapuser * * (can also map user@EXAMPLE.com to user)
  6. Set up delegation: ksetup /SetRealmFlags EXAMPLE.COM delegate
  7. Reboot

At this point, you will be able to login as user@EXAMPLE.COM using your Kerberos password. You now can use Kerberos with Single Sign On in Windows