I have a customer with LDAP that I can only log in with GSS-API enabled. He doesn't know how to enable simple authentication.
How can I enable this in MS ActiveDirectory?
1
- i'm sorry but : do you want to enable simple authentication in AD (to permit users to login both via kerberos/gssapi & simple auth), or do you want to give your customer the right ldap comment to use simple authentication ? (like with a ldapsearch -s <args>), thanksolivierg– olivierg2017-05-29 20:26:34 +00:00Commented May 29, 2017 at 20:26
Add a comment |
1 Answer
To enable Simple auth for particular user do this: https://technet.microsoft.com/en-us/library/cc961961.aspx
"To disable preauthentication, right-click the User object in Active Directory Users and Computers. Click Properties , and then click the Account tab. In the Account options list, check Do not require Kerberos preauthentication"
- No. Kerberos pre-auth is a part of the kerberos protocol. Disabling it is orthogonal to the problem of not using kerberos at all.84104– 841042017-06-22 15:52:12 +00:00Commented Jun 22, 2017 at 15:52
- This config enables the client to use simple auth for exact user. By default it is prohibited, because simple auth does not have Kerberos preauthentication.Kos Trush– Kos Trush2017-06-28 11:00:23 +00:00Commented Jun 28, 2017 at 11:00
- 2Simple auth doesn't use kerberos at all. Kerberos preauth is an implementation detail of
SASL/GSSAPIorSASL/GSS-SPNEGO. Simple isn't even SASL. You can verify this by attempting a simple bind to an account with kerberos preauth disabled. Use caution however, as non-TLS wrapped communication will result in credentials being sent int the clear over the wire, which is why a Group Policy should be set to prohibit that particular issue.84104– 841042017-06-28 15:55:18 +00:00Commented Jun 28, 2017 at 15:55