The information in this article applies to:

• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

The Windows 2000 Kerberos implementation of the Kerberos version 5 protocol is designed to be interoperable with other security services based on the MIT Kerberos version 5 reference implementation (RFC 1510). This interoperability supports the following configurations in Windows 2000:

• A Windows 2000 Server-based domain controller can serve as the Kerberos Key Distribution Center server (KDC). This service provides authentication for MIT Kerberos-based client and host systems. UNIX systems can use "kinit" and the DES-CBC-MD5 or DES-CBC-CRC encryption type to authenticate to the Windows 2000 KDC.
• The Windows 2000 Kerberos 5.0 Security Support Provider (SSP) implements the GSS-API Kerberos Mechanism Token format defined in RFC 1964. Windows 2000 does not provide the GSS-API; instead, the Kerberos support is available to Win32 programs using the SSPI APIs implemented by the Kerberos SSP. Client programs on UNIX using GSS-API can obtain session tickets to services on Windows 2000, and can complete mutual authentication, message integrity, and confidentiality. The context flags verified are GSS_C_MUTUAL_FLAG, GSS_C_REPLAY_FLAG, GSS_C_CONF_FLAG, and GSS_C_INTEG_FLAG.
• Windows 2000 clients, either Server or Professional, can be configured to use an MIT Kerberos server. This provides a single sign-on to the MIT KDC and a local Windows 2000 client account.

Interoperability with MIT Kerberos services does require minor configuration changes from the default installation. For example, Windows 2000-based workstations using an MIT-based Kerberos KDC server must be able to locate the Kerberos realm and available KDC servers. Command-line tools are included to assist with the necessary configuration steps. The included tools are:

• KSETUP: Configures alternate KDCs
• KTPASS: Sets the password, the account name mappings, and the keytab generation for UNIX services that use the Windows 2000 Kerberos KDC
• TRUSTDOM: Used to set up cross-realm trusts to MIT Kerberos realms

NOTE: MIT Kerberos interoperability requires a North American version of Windows 2000.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Using MIT Kerberos Clients

Configuring the Windows 2000 KDC

MIT Kerberos clients can configure the Krb5.conf file to use Windows 2000 Kerberos as the KDC server and the Windows 2000 domain as the Kerberos realm. To support MIT-based client systems, the Windows 2000 Kerberos server must be configured to support MIT password formats.

To configure the Windows 2000 KDC for MIT password formats:

1. On the Windows 2000 domain controller (DC) hosting the KDC, install KDCSVC as a notification package under the following registry key:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\NotificationPackages

   For additional information, please see the following article in the Microsoft Knowledge Base:

   Q161990 How to Enable Strong Password Functionality in Windows NT

2. Reboot the domain controller to enable the newly installed notification package.
3. Using the Windows 2000 Active Directory Users and Computers snap-in, change the password on the "krbtgt" user account for the KDC's password format to be updated. Set the password to be a complex password.
4. Reset the passwords on any existing user accounts that you want to use with MIT clients.

Creating Computer and User Accounts

Use the Active Directory Users and Computers snap-in to create computer and user accounts for the host and user security principals logging on to the Windows 2000 Kerberos domain.

To configure the UNIX hosts:

1. Create a new computer account for the UNIX host.
   
   
   1. Right-click the Computers folder, point to New, and then click Computer.
   2. Type the name of the UNIX host.
   3. In the Role box, click Computer is a workstation or member server.
2. Use KTPASS to create the keytab file and configure the account for the UNIX host, then copy the keytab file to the UNIX system and merge the keytab file into /etc/krb5.keytab, as follows:
   
   

   1. Use the following command to generate the UNIX host keytab file, map the principal to the account, and set the host principal password

      C:> KTPASS
      

      
      - princ host/hostname@NT-DNS-REALM-NAME
      
      - mapuser hostname$
      
      - pass password
      
      - out unixmachine.keytab
      
      Where:
      
      - hostname is the host DNS name, ("computer.microsoft.com")
      
      - NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain; "DOMAIN.MICROSOFT.COM"
      
      - hostname$ is the host DNS name with a dollar sign ($) appended; this is the account for the computer
      
      

      - password is a complex password for the account

   2. Securely transfer the keytab file to the UNIX host. Then, merge the keytab file with the keytab file for the UNIX computer. The UNIX commands to merge the keytab file are:

      %ktutil
      

      
      ktutil: rkt unixmachine.keytab
      
      

      ktutil: list

      The output should appear similar to the following:

      slot KVNO Principal
      

      ---

      
      

      1 1 host/computer.microsoft.com@DOMAIN.MICROSOFT.COM
      
      ktutil: wkt /etc/krb5.keytab
      
      

      ktutil: q

   3. Edit the /etc/krb5.conf file to refer to the Windows 2000 domain controller as the Kerberos KDC. The krb5.conf file entries should be similar to the following:

      [libdefaults]
      

      
      default_realm = DOMAIN.MICROSOFT.COM
      
      default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
      
      default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
      
      [realms]
      
      

      DOMAIN.MICROSOFT.COM = {kdc = server2.domain.microsoft.com:88}

   4. The default encryption types entries (default_txx_enctype) are optional. However, if the MIT client receives an encryption type error message, set the default types to one of the above.
   5. If your UNIX computer's DNS name does not include the realm name, you may need to map the host name to the Kerberos realm name. See the Kerberos 5 manual pages for more information about the krb5.conf file.
   6. Make sure that your computer clocks are synchronized (within 5 minutes) to the KDC's clock.
3. Create UNIX accounts that correspond to the Windows 2000 domain accounts so that the login process knows to use Kerberos authentication. You can do this by using the VIPW command or administration tools, depending on how you manage UNIX accounts.

Support for MIT Kerberos Services

Services running on UNIX computers can be configured with service accounts in the Windows 2000 directory. This allows full interoperability: MIT Kerberos clients and servers on UNIX computers can authenticate using the Windows 2000 Kerberos server, and Windows 2000 clients can authenticate to Kerberos services that support GSS-API.

To create a service instance account in the Windows 2000 directory:

1. Use the Active Directory User and Computer snap-in to create a user account for the UNIX service.

2. Use the KTPASS tool to set up an identity mapping for the user account. Use this command:

   C:> KTPASS -princ service-instance@REALM
   

   
   - mazpuser account-name -pass password
   
   

   - out unixmachine.keytab

   The format of the Kerberos service-instance name is:

   service/host.realm_name

   For example:

   sample/unix1.domain.microsoft.com

3. Merge the keytab file with /etc/krb5.keytab file on the UNIX host.
4. Change the account's password so that the new settings take effect. Note that you cannot map multiple instances to the same user account.

Using an MIT KDC with a Windows 2000 Workstation

For a Windows 2000 workstation to use an MIT Kerberos KDC, you must configure both the UNIX KDC server and the workstation as described below.

To configure the UNIX KDC server and the Windows 2000 workstations:

1. Run the KSETUP tool to configure the UNIX KDC server and realm for the workstation to use.
   
   

   1. In the MIT realm, create a host principal for the computer. Use the following command:

      KADMIN: add-principal -pw password host/machine-name.dns-domainname

      For example:

      host/win2000pro.domain.com

   2. Because an MIT Kerberos realm is not a Windows 2000 domain, configure the workstation as a member of a workgroup.

   3. Set the UNIX realm and add a KDC server, as follows:

      C:> KSETUP /setdomain DOMAIN.MICROSOFT.COM
      

      
      

      C:> KSETUP /addkdc DOMAIN.MICROSOFT.COM mitkdc.microsoft.com

   4. Set the local machine account password, as follows:

      C:> KSETUP /setmachpassword password

2. Reboot for the changes to take effect (this is a required step.)

3. Use KSETUP to configure single sign-on to local workstation accounts. Define the account mappings; this maps local machine accounts to Kerberos principals. For example:

   C:> KSETUP /mapuser user@DOMAIN.MICROSOFT.COM guest
   

   
   

   C:> KSETUP /mapuser AllUsers *

   Note that the second command maps clients to local accounts of the same name.

4. Use KSETUP with no arguments to see the current settings.
5. Use a UPN-style logon (account@REALM) to log on to the Windows 2000 Workstation.

Setting Trusts with an MIT Kerberos Realm

You can set up a trust relationship between Windows 2000 domains and MIT Kerberos realms. The following procedure sets up a trust between the Windows 2000 domain "MITCOMPAT.NTTEST.MICROSOFT.COM" and the MIT Kerberos Realm "MIT.MICROSOFT.COM."

To set up the trust:

1. On the domain controller for the Windows 2000 domain, use the following command to set up the configuration for the foreign MIT realm:

   C:> KSETUP /addkdc MIT.MICROSOFT.COM mitkdc.microsoft.com

2. Use the following commands to create cross-realm principals in the foreign MIT realm:

   C:> KADMIN -q "ank-pw password
   

   krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM"
   
   C:> KADMIN -q "ank-pw password
   

   krbtgt/MIT.MICROSOFT.COM@MITCOMPAT.NTTEST.MICROSOFT.COM"

3. Set up the trust with the principal of the foreign MIT realm:

   krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM (use the password for the foreign MIT realm)
   

   
   

   C:> TRUSTDOM MIT.MICROSOFT.COM -both -localonly -mit -pw password

Using MIT Sample Programs

The MIT Kerberos Krb5-1.0 distribution media includes sample programs that demonstrate Kerberos using both the Krb5 and GSS-APIs. These sample programs run properly on a UNIX system configured to use the Windows 2000 KDC. The samples are located in the following folders:

• /usr/src/krb5/krb5-1.0/src/appl/sample
• /usr/src/krb5/krb5-1.0/src/appl/gss-sample

Configure the UNIX host to use the Windows 2000 KDC, create a user account in the Windows 2000 directory, and set the password on the account. Verify that you can use "kinit" to authenticate from the UNIX host to the Windows 2000 KDC. Additional query words:

Keywords : kbenv kbnetwork
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo

Last Reviewed: December 30, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.