Windows 2K Domain Controller with AD

Jonathan Stephens jonsteph at
Mon Nov 15 23:11:13 EST 2004

As the KDC for the Windows Domain? No. The MIT KDC would be unable to
build the Privilege Attribute Certificate information (SID, primary
group, domain group membership, etc) that the DC (or any network
service) would need in order to build the user's token. For this same
reason -- the need for a Windows principal of some kind -- that accounts
from a trusted MIT realm must be mapped to Windows principals. There has
to be something from which to build the token that LSASS can compare
against ACLs (and other things).

Please see this link for more details:

The link you referenced describes how to set up a trust between an
existing Windows domain and an MIT Kerberos realm. See Section II, step
10, where it talks about the name mapping I referenced above.


Jonathan Stephens
PSS Escalation Engineer
Microsoft Corp.


This information is provided as-is and without warranty of any kind.


-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of dkuhl
Sent: Friday, November 12, 2004 1:56 PM
To: kerberos at
Subject: Windows 2K Domain Controller with AD

	I have come accross conflicting references and I want to get
straight.  Can a Windows 2000 server running Active Directory use a 
non-Windows machine running MIT Kerberos as its KDC?

	I have come across references saying it cannot be done and then
another page saying how to do it (see link).  Before I invest time and 
effort in this I want to set the record straight.  Please respond if you



How to configure a Win2K Domain Controller to sucessfully use tickets 
from the MIT KDC to authenticate to the Win2K Domain


David Kuhl
Parity Systems
dkuhl at

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list