replicating windows 2000 principals

Clint Chaplin cchaplin at
Thu Sep 26 21:13:45 EDT 2002

Um, in the user account in AD, you can set an option to not require pre-auth.  I would reccommend that you do so.  If you do not, then the AS_REP will be so big that the Microsoft KDC will send it using TCP/IP instead of UDP/IP.  Most clients will not expect this.

There is an option you can set in the AS_REQ to not have the AS_REP be so big, but that would require you to modify the code that generates the AS_REQ, which is not a trivial task.

Clint (JOATMON) Chaplin

>>> Luke Howard <lukeh at> 9/26/02 07:44:11 >>>

>I am trying to replicate the kerberos database from a Windows 2000 AD
>server to a UNIX krb5 KDC. Problem is that, although Microsoft mentions
>kprop in its Kerberos 5 interoperability document, this service is
>nowhere to be found in Windows 2000. 
>Some documents in MSDN report that "windows 2000 is not using the
>kerberos replication protocol for replication of the user database, but
>a proprietary ADSI based protocol". 

Well, the protocol is no based on ADSI -- that is an API -- rather it is
a DCE RPC-based protocol.

>Is there a way to replicate the Windows 2000 kerberos database on a UNIX
>slave KDC? 

Not that I am aware of.

-- Luke

Luke Howard | PADL Software Pty Ltd | 
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list