w2k client login to kerberos realm

Brian Thompson brianpm at ghidra.eng.wayne.edu
Tue Nov 12 09:11:59 EST 2002

foo at commerceflow.com wrote in message news:<w527kfj5sl3.fsf at debian.directionless.org>...
> > > Impirical evidence suggests you're giving an incomplete answer here.
> > > I have a W2K box on my desk for which I log into an MIT account which
> > > is mapped by the domain to a domain account.  No local account exists.
> > 
> > Hmm not sure how you did that as it conflicts directly with the
> > documentation on the microsoft website, and my own experience.
> > 
> > If there's a way to get it to work it'd be useful to me, as at the moment
> > I have to choose between kerberos or domain login when logging in.
> Microsoft did document this, in the kerbsteps.asp file. look at the
> "Setting Trust with a Kerberos Realm" section of
> http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/kerbsteps.asp
> I set up a test network that did something like this awhile ago. It's
> long gone, so I can't pull configs off it, but here's what I remember
> from my notes: (it appears the same as what's at the URL I listed)
>   the AD realm is WOFFICE, the kerberos realm is OFFICE
>   the workstations need a krb5.conf equivlent entry for OFFICE, use
>   ksetup /addkdc to make it.
>   the realms need a shared key (I think)
>   each account needs a mapping account mapping between the realms. use
>   "Active Directory Users and Computers" to map foo at WOFFICE to
>   foo at WOFFICE
>   the workstation's login screen will have 2 realms. the kerberos one,
>   and the AD one. Users shouldn't know the passwords in the AD realm,
>   and if they select the kerberos one all the right things
>   happen. (they can also just login as foo at OFFICE, and it'll figure
>   out the right realm)
> seph
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

I ran into the same document and went through 
this a while ago. It works for the Windows server
but not for the Windows workstations. As you stated,
the server has two realms (the AD one, and the
Kerberos one) and the logins do work as you 

On the workstations there are _three_ domains
(one AD, one Kerberos, one local ws). I'm trying to
tie the first and second together without creating
a shadow account in the third and log in using the
kerberos domain password.

It sounds like Sam has it working but I'm very
curious to see what "ksetup" outputs on his


More information about the Kerberos mailing list