Microsoft KB Archive/324143

= HOW TO: Use the Kerberos Setup Tool (Ksetup.exe) =

PSS ID Number: 324143

Article Last Modified on 12/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Small Business Server 2000

-



This article was previously published under Q324143



IN THIS TASK

 * SUMMARY
 * ** KSetup Syntax
 * Determine Current Settings
 * Set the Kerberos Domain
 * Add a Kerberos Domain Controller
 * Set the Local Computer Account Password
 * Map a Kerberos User to a Local User



SUMMARY
KSetup is a command-line tool that configures Windows 2000 clients to use an MIT Kerberos server instead of using a Windows 2000 domain for user authentication. This article describes how to use KSetup to configure a computer for Kerberos authentication.

back to the top

KSetup Syntax
KSetup is part of the Windows 2000 Resource Kit. The KSetup tool updates the Windows 2000 registry to force Windows to modify the settings for authentication so that the computer can talk to MIT Kerberos domain controllers. When you run KSetup on clients, it changes the way that information is looked up during authentication. Additionally, it adjusts how users are authenticated. You can use KSetup on servers to provide cross-realm trust relationships that allow single sign-on across UNIX and Windows-based computers.

The following text is the syntax of the KSetup tool:

ksetup [/SetRealm ] [/MapUser  ] [/AddKdc   ] [/DelKdc   ] [/AddKpasswd   ] [/DelKpasswd   ] [/Server  ] [/SetComputerPassword  ] [/Domain  ] [/ChangePassword   ] [/?] [/Help ]

The following list describes the parameters of this tool:
 * /SetRealm : This parameter sets the name of a Kerberos realm.
 * /MapUser  : This parameter maps the name of a Kerberos principal to an account (the wildcard character [*] indicates any or all).
 * /AddKdc  : This parameter adds an additional Key Distribution Center (KDC) address for the specified realm.
 * /DelKdc  : This parameter deletes instances of the KDC address for the realm.
 * /AddKpasswd  : This parameter adds the specified Kpasswd server address for a realm.
 * /DelKpasswd  : This parameter deletes the specified Kpasswd server address for a realm.
 * /Server : This parameter specifies the name of a Windows 2000-based computer on which to make the change.
 * /SetComputerPassword : This parameter sets the local computer password.
 * /Domain : This parameter uses the specified domain.
 * /ChangePassword  : This parameter changes the logged-on user's password by using Kpassword.
 * /? or /Help: This parameter displays the usage screen.

back to the top

Determine Current Settings
To determine the current settings, run the KSetup tool without any parameters.

back to the top

Set the Kerberos Domain
To set the Kerberos domain for the current computer, use the /domain parameter:

ksetup /domain. .com

back to the top

Add or Remove a Kerberos Domain Controller
To add a Kerberos KDC, use /addkdc with the name of the domain that this KDC applies to and the address of the server for this domain. For example:

ksetup /addkdc. .com kerbsrv. .com

To remove, use the /delkdc parameter:

ksetup /delkdc. .com kerbsrv. .com

back to the top

Set the Local Computer Account Password
To set the password for the local computer account on the Kerberos server, use /setcomputerpassword. For example:

ksetup /setcomputerpassword

back to the top

Map a Kerberos User to a Local User
To map a Kerberos user to a local user account to turn on single sign-on across servers, use the /MapUser parameter:

ksetup /mapuser @kerberos. .com

You can also map users using wildcard characters (*). The special token AllUsers refers to all the users in a Kerberos domain and the wildcard character defines all the users in the local domain. For example, to map all users on a Kerberos KDC to the corresponding user on the local computer, run the following command:

ksetup /mapuser AllUsers *

NOTE: On a domain controller, this command maps users between the two authentication systems and allows both UNIX and Windows clients to log on to servers using the Kerberos authentication system.

back to the top

Keywords: kbhowto kbHOWTOmaster KB324143

Technology: kbSBServ2000 kbSBServSearch kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbZNotKeyword3

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.