w2k client login to kerberos realm

foo@commerceflow.com foo at commerceflow.com
Mon Nov 11 23:18:16 EST 2002


> > Impirical evidence suggests you're giving an incomplete answer here.
> > I have a W2K box on my desk for which I log into an MIT account which
> > is mapped by the domain to a domain account.  No local account exists.
> 
> Hmm not sure how you did that as it conflicts directly with the
> documentation on the microsoft website, and my own experience.
> 
> If there's a way to get it to work it'd be useful to me, as at the moment
> I have to choose between kerberos or domain login when logging in.

Microsoft did document this, in the kerbsteps.asp file. look at the
"Setting Trust with a Kerberos Realm" section of
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/kerbsteps.asp

I set up a test network that did something like this awhile ago. It's
long gone, so I can't pull configs off it, but here's what I remember
from my notes: (it appears the same as what's at the URL I listed)

  the AD realm is WOFFICE, the kerberos realm is OFFICE

  the workstations need a krb5.conf equivlent entry for OFFICE, use
  ksetup /addkdc to make it.

  the realms need a shared key (I think)

  each account needs a mapping account mapping between the realms. use
  "Active Directory Users and Computers" to map foo at WOFFICE to
  foo at WOFFICE

  the workstation's login screen will have 2 realms. the kerberos one,
  and the AD one. Users shouldn't know the passwords in the AD realm,
  and if they select the kerberos one all the right things
  happen. (they can also just login as foo at OFFICE, and it'll figure
  out the right realm)

seph



More information about the Kerberos mailing list