w2k kerberos logon

Steve Langasek vorlon at dodds.net
Fri Dec 13 11:59:48 EST 2002

Hi Graham,

On Fri, Dec 13, 2002 at 03:00:36PM -0000, Graham Turner wrote:
> Have posted on the Microsoft newsgroups with little good information to
> date, so hope someone here has info on the W2k implementation of Kerberos.

> trying to get to understand how the kerberos client generates the domain
> name to authenticate the user when they enter the downlevel NetBIOS name in
> the logon dialog box.

> Hope someone here can be of help .

Based on what I know of NetBIOS, Kerberos, LDAP and ADS, here follows an
educated guess describing one known *possible* mechanism:

The workstation sees that the domain name is a NetBIOS domain, and queries
the WINS server (possibly via an LDAP proxy) for the IP address of the
domain controllers.  It then attempts to issue an LDAP query against these
servers to query the DC's ADS domain name (which IIRC is stored on the
rootDSE), and if successful, it can then resolve the KDC addresses using

An alternate approach would be for the client to issue queries exclusively
using LDAP, and this is probably more scalable than depending on a WINS
server.  I believe the legacy NetBIOS domain is listed somewhere in LDAP,
but I don't recall where.

Steve Langasek
postmodern programmer

More information about the Kerberos mailing list