Attempting Windows 2003--MIT Kerberos interop

Stephen Jacob Stephen.Jacob at
Tue Oct 14 20:21:57 EDT 2003

On Tue, Oct 14, 2003 at 05:00:15PM -0700, Actually davidchr wrote:
> Was this ever answered?  If not:
> > -----Original Message-----
> > From: kerberos-bounces at 
> > [mailto:kerberos-bounces at] On Behalf Of Stephen Jacob
> [...]
> > The Windows 2003 Resource Kit
> > downloadable from does not appear to include this
> > program 
> Correct.  However, it does exist in support\tools\suptools.msi on the
> WS03 CD (probably why it didn't go in the reskit).  I'm looking to see
> if there's something we can do to prevent further confusion for people
> looking for ktpass in the future, now that it's evidently been moved...
> > I read a thread on this list from 2003.08.11-2003.08.13 entitled,
> > "Interoperability with windows 2003 KDC and MIT kerberos V,"
> > which seemed to suggest that somebody had got it working. 
> To my knowledge, the configuration steps haven't changed at all since
> Win2K, so just following the interop instructions on
> should work just fine.

Hi Dave,

Thanks for the response. :)

I had actually found the ktpass.exe program. In fact, it's in the
Windows Support Tools on both the Win2k and the Win2k3 media that I
have, for the respective OSes -- it may also be in the reskit for
Win2k, but I haven't checked that, since I found it in the Support
Tools). In fact, I achieved interoperation between MIT kerberos
(client) and both Windows 2000 Server (kerberos server) and Windows
2003 Server (again, as the kerberos server). I was incredibly busy
and then on vacation for a week, so I completely forgot send e-mail
saying I'd found my answer. Sorry about that.

Now, the remaining challenge is to get GSS-TSIG to interoperate. :)
I actually did get a non-MS GSS-TSIG implementation to interoperate
with Windows Server 2003... but have not yet been able to get it to
interoperate with Windows 2000 Server yet (not being helped by how
silent the MS DNS server is [doesn't log anything in the "DNS
Server" section of "Event Viewer" even when it refuses updates...
purportedly because of permissions issues, even though the
zone permissions are set up the same way as on Win2k3]).

 Stephen Jacob | Stephen.Jacob at | +1 650 381 6051
 Nominum, Inc. | | "Communication by Name"

More information about the Kerberos mailing list