win2k and kerberosV(mit)

David Lawler Christiansen (NT) davidchr at
Mon Jun 10 17:55:51 EDT 2002

It sounds like you have a Win2K Pro machine (say, WIN2KPRO), and you are
trying to add a realm (say, REALM) to it.  You want to map
WIN2KPRO\LocalUser to realmuser at REALM.COM.  If I'm wrong about your
setup, please correct me.

If so, then:

1. logging on with WIN2KPRO\LocalUser (with the local password) should
not generate any traffic on the KDC-- it's a local logon.  Kerberos is
not involved.

2. Logging on with realmuser at REALM.COM (with the Kerberos password)
should generate KDC traffic.

If you're unsure, use tcpdump or Netmon to take a sniff.

This message or posting is provided "AS IS" with no warranties, and
confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request.  I retaliate
viciously against spammers and spam sites.

> -----Original Message-----
> From: Josef Allen [mailto:josallen at] 
> Sent: Friday, June 07, 2002 12:19 AM
> To: kerberos at
> Subject: win2k and kerberosV(mit)
> I have recently followed the how to for a win2kpro to use a 
> mit kdc server. I followed all of the directions. I then 
> rebooted the win2kpro (windows 2000 professional). Ichecked 
> to see if I had different domains. Namely the domain that is 
> in question was the kdc domain name and the name of the 
> standalone win2kpro. I noticed that I had both domains. I 
> then mapped a user from a win2kpro user to a user at REALM using 
> the ksetup utility. Of course I had created a local account 
> already for the user on the win2kpro. I then tried to use the 
> account using my newly created domain. I had success. Now 
> that I have painted this picture let me tell you what went WRONG.
> I checked the krb5kdc.log file and saw no activity.
> I checked the kadmind.log file and saw no activity.
> I tried to logon to the win2kpro machine with a user that was 
> created for the local machine BUT was not mapped to the mit 
> kdc. I was successful in logging on via the kdc domain.
> Thus how can I tell when I truly have interoperability.
> Josef De Vaughn Allen
>                      z
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list