Windows 2K Domain Controller with AD
Jonathan Stephens
jonsteph at microsoft.com
Mon Nov 15 23:11:13 EST 2004
As the KDC for the Windows Domain? No. The MIT KDC would be unable to
build the Privilege Attribute Certificate information (SID, primary
group, domain group membership, etc) that the DC (or any network
service) would need in order to build the user's token. For this same
reason -- the need for a Windows principal of some kind -- that accounts
from a trusted MIT realm must be mapped to Windows principals. There has
to be something from which to build the token that LSASS can compare
against ACLs (and other things).
Please see this link for more details:
http://www.microsoft.com/technet/security/bestprac/authent.mspx.
The link you referenced describes how to set up a trust between an
existing Windows domain and an MIT Kerberos realm. See Section II, step
10, where it talks about the name mapping I referenced above.
--JS
Jonathan Stephens
PSS Escalation Engineer
Microsoft Corp.
--
This information is provided as-is and without warranty of any kind.
--
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of dkuhl
Sent: Friday, November 12, 2004 1:56 PM
To: kerberos at mit.edu
Subject: Windows 2K Domain Controller with AD
OK,
I have come accross conflicting references and I want to get
this
straight. Can a Windows 2000 server running Active Directory use a
non-Windows machine running MIT Kerberos as its KDC?
I have come across references saying it cannot be done and then
found
another page saying how to do it (see link). Before I invest time and
effort in this I want to set the record straight. Please respond if you
know.
Thanks,
D.
How to configure a Win2K Domain Controller to sucessfully use tickets
from the MIT KDC to authenticate to the Win2K Domain
http://www.upenn.edu/computing/pennkey/sysadmin/e_install_win/win-config
.html
--
David Kuhl
Parity Systems
dkuhl at paritysys.com
-----------------------
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list