KLogon is
secondary Kerberos logon for Windows designed to mimic Kerberos single
sign-on [primarily] on standalone/unmanaged computer.
Essentially KLogon is equivalent to 'runas
/netonly /user:name@KRB.REALM explorer.exe', but it offers a number
of advantages over runas. First of all, unlike runas when
entered password is first exercised only upon first connect to remote
service, not upon new process spawn, KLogon verifies typed password
prior it re-launches explorer.exe, thus giving user immediate
feedback about Kerberos logon being successful or not. Then KLogon
automatically terminates currently running explorer.exe in order to
replace it with one running with chosen credentials. This effectively
re-bias explorer shell and its descendants, or in other words all
applications you start afterwards, to Kerberos realm. To emphasize
single sign-on illusion Klogon even registers chosen realm as Local
Intranet zone.
However! Restarting explorer with alternative
network credentials unfortunately has certain side-effects.
- Most notably start-up folder is re-evaluated and your "tray"
applets are re-executed. Most programs manage this switch just fine,
but no warranties can be provided.
- Secondly currently mapped network resources are rendered
inaccessible. You have to re-map if you want to access them from
"re-biased" session.
- If explorer dies for some reason, you get logged out. Normally
explorer is gracefully restarted. If you're to terminate explorer
yourself from Task Manager and don't want to be logged out, then
terminate background klogon.exe first.
- Programs left running in background with original credentials might
induce confusing behaviour. For example Acrobat Reader has quality to
stick around in background and pick up .pdf you double-click in
explorer. What happens is that explorer spawns Acrobat Reader with file
name as argument. The latter first check if there is another one
running already on current desktop and if it turns to be the case file
name is passed to the one running in background. Now, if background
process was started prior KLogon and the requested file resides
on network share access shall fail [because background process has no
access to Kerberos credentials]. For this reason it's recommended to
start KLogon as early as possible, you might even choose to put it into
your start-up folder.