In Mac OS X, how do I authenticate against IU's Kerberos realm?

Note: Mac OS X 10.3 (Panther) and earlier do not support NTLMv2, the authentication protocol used by Windows servers bound to ADS. To work around this problem, you can upgrade your computer to Mac OS X 10.4 (Tiger) or later, which does support NTLMv2, or you may configure your computer to authenticate against Indiana University's Kerberos realm (ADS.IU.EDU) as described below.

1. Configure your Kerberos settings for IU. The easiest way to do this is to download and install the IU Kerberos Assistant, available on IUware.

   Note: The Kerberos Assistant will put the edu.mit.Kerberos file in the user domain (~/Library/Preferences/), not the local domain (/Library/Preferences/) as in the instructions below. Putting the file in the local domain makes it available to all users on the computer, but it may overwrite an existing file. UITS recommends this option only for advanced users.

   Alternately, to configure your settings manually:

   1. Obtain the Indiana University krb5.conf file.
   2. Rename the krb5.conf file to edu.mit.Kerberos and place it in the following directory: /Library/Preferences/

      If you already have an edu.mit.Kerberos file, you may already be able to use Kerberos authentication.

   3. Navigate to the directory /System/Library/CoreServices/ and find the Kerberos application. Drag the Kerberos icon to the Dock.
   
   
2. Open the Kerberos application and do the following:
   
   
   1. In Mac OS X 10.4, in the application window, click New.

      In Mac OS X 10.3, click Get Ticket... .

   2. In the "Name:" field, enter your IU Network ID username.
   3. Make sure the Realm is set to ADS.IU.EDU .
   4. Enter your IU Network ID passphrase and click OK.

   A Kerberos ticket should appear in the Kerberos application window.

3. Try to connect to a Windows share or other Kerberos-enabled resource. You should not need to re-enter your Network ID to make the connection.

Comments/Questions/Corrections