Kerberos Configuration

Douglas E. Engert deengert at anl.gov
Thu Jul 29 15:32:54 EDT 2004



Gururaj wrote:
> 
> Hi Douglas,
> Sorry couldn't reply to your reply because of internet access problem.
> 
> Thanks that was really a nice reference link. But in that link every
> thing is about interoperatibility(Unix and MIT Kerberos)
> 
> Let me elaborate about my problem.
> 
> My Domain controller machine is a windows server 2003. Now I'd enabled
> the Kerberos on this machine with all the paramters set to default.

Sounds OK, as it is the AD. What you may have enabled is the 
ability for the AD to talk native Kerberos to non Windows machines.
i.e. use UDP port 88 as well as TCP port 88.   

> 
> The other part is my client machine. My client box is a windows server
> 2000.
> 
> I came to know that I need not do any thing to configure the server as
> I will be already using Kerberos, right???

Yes, as long as the machine is a member of the domain. Adding it to the domain
registers the machine and assigns a key/password for use by the underlying
Kerberos

> 
> Can you clear some of my doubts???
> 
> 1. How to verify that the Kerberos is being used for authenticaion.

When you login on to the machine using your domain account, you will
get tickets. See (4) below, or use network trace.  


> 2. What's the need of running KSetup.exe on the client machine.

You don't have to run this. It is used for none domain machines that want
to use Kerbveros. 

> 3. How to find the Principal Name and KDC Name on the server.

For a user its called the userPrincipalName in the account records.

> 4. Finally, Can KerbTray.exe be of any help to me.

Yes it will show you the tickets from step 1. 

> 
> Also, I saw there's KDC Service on Windows 2000 machine(not running),
> my client machine. Do I need to start that service for any reasons????

No, the KDC is only run on the domain controllers. 

> 
> Thanks in adv.

Most Windows domain users never heard of Kerberos, and don't need to
know it is even there. 


> 
> Regards,
> Gururaj
> 
> deengert at anl.gov ("Douglas E. Engert") wrote in message news:<41011E4A.49778A26 at anl.gov>...
> > Gururaj wrote:
> > >
> > > Hi,
> > >
> > > I need to setup a Kerberos Authentication to execute some test cases.
> > >
> > > Basically I need to configure my Domain control for kerberos
> > > authenticataion. And a client box which authenticates thro kerberos,
> > > for this I guess I need to run KSetup on the client machine.
> > >
> > > This is what I did...
> > > 1. Set all the default values in the Kerberos Policy Parameters
> > > 2. Ran Ksetup.exe on the client machine, got the following error
> > >
> > > Default realm: testmachine.com (NT Domain)
> > > Failed to create kerberos key: 5 (0x5)
> > >
> > > Do I need to configure any thing for key Distribution Center (KDC)
> > > before I run KSetup?
> >
> > Yes, ktpass, see:
> > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> >
> > "To create a service instance account in the Active Directory"
> >
> > >
> > > Can any one please give me a step-by-step guidelines on setting up my
> > > Server and Client boxes?
> > >
> > > Thanks
> > > Gururaj,
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert at anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list