Product SiteDocumentation Site

3.7. Configuring a Microsoft Windows System to Join the FreeIPA Realm

  1. Download the MIT Kerberos 3.x package for Windows.
    http://web.mit.edu/kerberos/dist/index.html
  2. Run the kfw-3.x-exe file to launch the MIT Kerberos Installation Wizard.
  3. Read and accept the license agreement.
  4. Install the KfW client. All other components are optional.
  5. Accept the default destination path.
  6. Select Download from web path, and enter the URL to the FreeIPA server. For example:
    http://ipaserver.example.com/ipa/config/
    Include the trailing backslash, or the configuration will fail.
  7. Select Autostart the Network Identity Manager each time you login to Windows.
  8. Click Install to begin the installation. When the installation is complete, click Finish to exit the Wizard.
  9. Edit the hosts file and add the FreeIPA server. For example:
    1.2.3.4     ipaserver.example.com   ipaserver
    Depending on the version of Windows, the HOSTS file could be located in different directories. For Windows XP and later systems, this is in C:\WINDOWS\system32\drivers\etc\.

NOTE

One potential problem is that a ticket is not generated by Kerberos on Windows. Windows can use multiple ticket caches with MIT Kerberos. This can create odd scenarios, where it is possible to authenticate against FreeIPA's domain in the command line, but not to open the web UI.
MIT Kerberos for Windows provides some debugging tools which can be used to troubleshoot Windows Kerberos problems, available at http://web.mit.edu/Kerberos/dist/index.html#kfw-3.2.