Windows 2000 Server as KDC

Mel Riser mel.riser at fxfn.com
Wed Jul 16 14:24:48 EDT 2003


Microsoft based its Kerberos implementation on the open standard that RFC 1510 defines (i.e., Kerberos V5), which means that Kerberos can provide authentication interoperability between Win2K and other OSs that support an RFC 1510-based Kerberos implementation.

Kerberos authentication interoperability comes in three flavors: A Win2K server hosts the Kerberos KDC and serves as a KDC for Win2K and other platform clients. Alternatively, a non-Win2K server hosts the Kerberos KDC and serves as a KDC for Win2K and other platform clients. Finally, you can create a cross-realm trust relationship between a Win2K domain and another platform to provide authentication interoperability. In this case, you have two KDCs-one KDC on each side of the trust relationship.

Authentication interoperability isn't simple and makes administration more complex. For example, to use a cross-realm trust to obtain authentication interoperability between Win2K and a UNIX platform, you must define an explicit mapping between each UNIX account that will access resources in your Win2K domain and a Win2K account, as Screen 5 shows. You must map each UNIX account because UNIX Kerberos account names are meaningless to Win2K domains. Windows environments use SIDs to identify accounts. UNIX accounts defined in a UNIX Kerberos domain don't have SIDs. The Security Identity Mapping dialog box shows mappings as part of a user object's advanced features.



More information about the Kerberos mailing list