XP Workstation logging into Windows 2000/2003 AD Domain using MIT Kerberos KDC

[Terry Jones]

I am pretty new to Kerberos so I may mess up the terminology. 

We have had a couple of people attempt what I am describing below and
we have failed so far. I just wanted to consult the group with the
basic "is this possible" question first, then expand on to broader
questions like "who has done it" and "how is it done"

We have a student lab of Windows XP computers and we want the students
to have to authenticate to use them. We have an MIT Kerberos KDC that
"knows"  all the students but we do not want the MIT KDC to have to
know each and every XP workstation.

We would like to set up a Windows Server 2003 (or 2000 if that makes a
difference) AD Domain Controller that the students log into, but we
ant that AD Domain controller to contact the MIT KDC for
authentication purposes.

If we have to create explicit user accounts for each student in the
Windows Active Directory Domain we will, but if we could map them all
to a single account that would also be good.

In other words, we are willing to let the MIT KDC talk to the Windows
AD Domain Controller, not all the workstations. We want the XP
workstations to contact the Windows Domain Controller and have the
Windows Domain COntroller touch base with the MIT KDC to authenticate
them.

I have set up a Windows Server 2003 AD Domain controller, It is all
working well from a DNS point of view. It is actually talking to the
MIT KDC but so far all I have gotten is Windows error from the tickets
returned when attempting a local login on the Windows Server and
authenticating to the MIT KDC. I have not had ANY success logging into
the Windows domain from an XP workstation... no traffic to the MIT KDC
whatsoever...

I welcome your general and detailed comments! Thanks. 

Terry Jones