You are here

Kerberos for Windows

Printer-friendly versionPrinter-friendly version

IMPORTANT NOTE: The secure-endpoints website, which distributes Heimdal Kerberos and Network Identity Manager has been intermittently unavailable for the last few months. Because of this, we are recommending that if you are installing Kerberos to give you access to the School's OpenAFS file system and you are comfortable using Windows command prompt, then you should use the version of Kerberos which comes as part of the Auristor OpenAFS client and follow the procedure detailed in AFS for Windows to obtain Kerberos credentials and AFS tokens. If this does not apply, follow the procedure on this page. If you have an urgent query, please contact us through the support form

This document describes how to install and configure Kerberos for Windows. This procedure been tested using Windows 7 32bit and 64bit, Windows 8 32bit and 64bit and Windows 10 64bit, but should be applicable to other version of Windows.

Please note: Heimdal Kerberos does not work correctly on 32-bit windows. For this reason, we recommend that 64-bit windows users install Heimdal and 32-bit windows users install MIT Kerberos. There are separate pages (below) describing the download and installation of these. Aside from this, the process is almost identical once Kerberos has been installed. Differences between the kerberos distributions are noted in the text

32-bit or 64-bit Windows?

To follow the instructions in this document, you will need to know whether you are running 32-bit or 64-bit Windows. If you don't know this, Microsoft have instructions on finding out:

http://windows.microsoft.com/en-us/windows/32-bit-and-64-bit-windows

The instructions above seem to be for older versions of Windows. For Windows 10, right-click on the Start menu and select System for information on System type.

Download and install Kerberos

The distribution of Kerberos to install depends on whether you are running 32-bit or 64-bit Windows (see above).

For 64-bit Windows, we recommend Heimdal Kerberos:

Heimdal Kerberos for Windows

For 32-bit Windows, we recommend MIT Kerberos:

MIT Kerberos for Windows

Download and install Network Identity Manager

The next stage in the process is to download and install Network Identity Manager, again from Secure Endpoints:

https://www.secure-endpoints.com/netidmgr/v2/

Again, you will need to choose between 32-bit and 64-bit installers (64-bit machines require only the 64-bit installer). Choose the appropriate version without SDK.

Run the installer:

Accept the licence agreement:

Select Typical install:

Click Install to proceed:

Finally, click Finish once the installer has completed:

Run and configure Network Identity Manager

Run Network Identity Manager for the first time from the Start menu (Windows 10 users may need to restart Windows before Network Identity Manager works correctly):

Following this, an icon for Network Identity Manager should appear in the system tray (this is found in the bottom right part of the Windows Task Bar). Click on this icon. If the icon doesn't appear, you might need to click on the up arrow first and then select Show Network Identity Manager.

For users of MIT Kerberos only: It is recommended that you disable the Kerberos v4 plugin in Network Identity Manager before proceeding. This can be done by selecting Options->Plugins from the menu, selecting Krb4Cred and clicking "Disable". You will be prompted to confirm and restart Network Identity Manager.

Once Network Identity Manager has (re)started:

Select Credential -> New credentials -> Obtain new credentials ...

Enter your DICE username in the Username box and INF.ED.AC.UK (this must be upper case) in the Realm box and click Next:

Optionally, tick the "Proxiable" and "Make this the default identity boxes" and increase the lifetime to 18 hours (this is the maximum lifetime for DICE user credentials). Click on Next (not Finish):

Enter your DICE password in the Password box and then tick "Make this the default identity" (again!) Select "Save password in My Keystore" if you want the password for your DICE identity saved on this machine and click Next:

Finally, click Finish, you should see a status dialog box appear briefly as your credentials are obtained.

Note if you have chosen to save your password, click Next instead, and then follow the prompts to set up a keystore.

Once your username and password have been authenticated, you will be returned to the main Network Identity Manager window which should contain a new entry indicating that Kerberos tickets have been successfully obtained:

What now?

Now that you have installed Kerberos on Windows, you may want to:

Configure AFS
Configure SSH (including logging in without a password)
Configure Firefox and Chrome for single-sign-on with our Cosign service

Last reviewed: 
21/03/2017

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic