Microsoft KB Archive/232170: Difference between revisions
m (Text replacement - ">" to ">") |
m (Text replacement - """ to """) |
||
Line 21: | Line 21: | ||
----- | ----- | ||
'''IMPORTANT''': This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the | '''IMPORTANT''': This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.<br /> | ||
<br /> | <br /> | ||
Line 28: | Line 28: | ||
The Windows 2000 Kerberos implementation of the Kerberos version 5 protocol is designed to be interoperable with other security services based on the MIT Kerberos version 5 reference implementation (RFC 1510). This interoperability supports the following configurations in Windows 2000: | The Windows 2000 Kerberos implementation of the Kerberos version 5 protocol is designed to be interoperable with other security services based on the MIT Kerberos version 5 reference implementation (RFC 1510). This interoperability supports the following configurations in Windows 2000: | ||
* A Windows 2000 Server-based domain controller can serve as the Kerberos Key Distribution Center server (KDC). This service provides authentication for MIT Kerberos-based client and host systems. UNIX systems can use | * A Windows 2000 Server-based domain controller can serve as the Kerberos Key Distribution Center server (KDC). This service provides authentication for MIT Kerberos-based client and host systems. UNIX systems can use "kinit" and the DES-CBC-MD5 or DES-CBC-CRC encryption type to authenticate to the Windows 2000 KDC. | ||
* The Windows 2000 Kerberos 5.0 Security Support Provider (SSP) implements the GSS-API Kerberos Mechanism Token format defined in RFC 1964. Windows 2000 does not provide the GSS-API; instead, the Kerberos support is available to Win32 programs using the SSPI APIs implemented by the Kerberos SSP. Client programs on UNIX using GSS-API can obtain session tickets to services on Windows 2000, and can complete mutual authentication, message integrity, and confidentiality. The context flags verified are GSS_C_MUTUAL_FLAG, GSS_C_REPLAY_FLAG, GSS_C_CONF_FLAG, and GSS_C_INTEG_FLAG. | * The Windows 2000 Kerberos 5.0 Security Support Provider (SSP) implements the GSS-API Kerberos Mechanism Token format defined in RFC 1964. Windows 2000 does not provide the GSS-API; instead, the Kerberos support is available to Win32 programs using the SSPI APIs implemented by the Kerberos SSP. Client programs on UNIX using GSS-API can obtain session tickets to services on Windows 2000, and can complete mutual authentication, message integrity, and confidentiality. The context flags verified are GSS_C_MUTUAL_FLAG, GSS_C_REPLAY_FLAG, GSS_C_CONF_FLAG, and GSS_C_INTEG_FLAG. | ||
* Windows 2000 clients, either Server or Professional, can be configured to use an MIT Kerberos server. This provides a single sign-on to the MIT KDC and a local Windows 2000 client account. | * Windows 2000 clients, either Server or Professional, can be configured to use an MIT Kerberos server. This provides a single sign-on to the MIT KDC and a local Windows 2000 client account. | ||
Line 44: | Line 44: | ||
'''WARNING''': Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.<br /> | '''WARNING''': Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.<br /> | ||
<br /> | <br /> | ||
For information about how to edit the registry, view the | For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).<br /> | ||
<br /> | <br /> | ||
Line 61: | Line 61: | ||
<blockquote>[[../161990|Q161990]] How to Enable Strong Password Functionality in Windows NT</blockquote></li> | <blockquote>[[../161990|Q161990]] How to Enable Strong Password Functionality in Windows NT</blockquote></li> | ||
<li>Reboot the domain controller to enable the newly installed notification package.</li> | <li>Reboot the domain controller to enable the newly installed notification package.</li> | ||
<li>Using the Windows 2000 Active Directory Users and Computers snap-in, change the password on the | <li>Using the Windows 2000 Active Directory Users and Computers snap-in, change the password on the "krbtgt" user account for the KDC's password format to be updated. Set the password to be a complex password.</li> | ||
<li>Reset the passwords on any existing user accounts that you want to use with MIT clients.</li></ol> | <li>Reset the passwords on any existing user accounts that you want to use with MIT clients.</li></ol> | ||
Line 95: | Line 95: | ||
Where:<br /> | Where:<br /> | ||
<br /> | <br /> | ||
- hostname is the host DNS name, ( | - hostname is the host DNS name, ("computer.microsoft.com")<br /> | ||
<br /> | <br /> | ||
- NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain; | - NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain; "DOMAIN.MICROSOFT.COM"<br /> | ||
<br /> | <br /> | ||
- hostname$ is the host DNS name with a dollar sign ($) appended; this is the account for the computer<br /> | - hostname$ is the host DNS name with a dollar sign ($) appended; this is the account for the computer<br /> | ||
Line 189: | Line 189: | ||
=== Setting Trusts with an MIT Kerberos Realm === | === Setting Trusts with an MIT Kerberos Realm === | ||
You can set up a trust relationship between Windows 2000 domains and MIT Kerberos realms. The following procedure sets up a trust between the Windows 2000 domain | You can set up a trust relationship between Windows 2000 domains and MIT Kerberos realms. The following procedure sets up a trust between the Windows 2000 domain "MITCOMPAT.NTTEST.MICROSOFT.COM" and the MIT Kerberos Realm "MIT.MICROSOFT.COM."<br /> | ||
<br /> | <br /> | ||
To set up the trust:<br /> | To set up the trust:<br /> | ||
Line 197: | Line 197: | ||
<blockquote>C:> KSETUP /addkdc MIT.MICROSOFT.COM mitkdc.microsoft.com</blockquote></li> | <blockquote>C:> KSETUP /addkdc MIT.MICROSOFT.COM mitkdc.microsoft.com</blockquote></li> | ||
<li><p>Use the following commands to create cross-realm principals in the foreign MIT realm:</p> | <li><p>Use the following commands to create cross-realm principals in the foreign MIT realm:</p> | ||
<blockquote>C:> KADMIN -q | <blockquote>C:> KADMIN -q "ank-pw password<br /> | ||
krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM | krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM"<br /> | ||
<br /> | <br /> | ||
C:> KADMIN -q | C:> KADMIN -q "ank-pw password<br /> | ||
krbtgt/MIT.MICROSOFT.COM@MITCOMPAT.NTTEST.MICROSOFT.COM | krbtgt/MIT.MICROSOFT.COM@MITCOMPAT.NTTEST.MICROSOFT.COM"</blockquote></li> | ||
<li><p>Set up the trust with the principal of the foreign MIT realm:</p> | <li><p>Set up the trust with the principal of the foreign MIT realm:</p> | ||
<blockquote>krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM (use the password for the foreign MIT realm)<br /> | <blockquote>krbtgt/MITCOMPAT.NTTEST.MICROSOFT.COM@MIT.MICROSOFT.COM (use the password for the foreign MIT realm)<br /> | ||
Line 213: | Line 213: | ||
* /usr/src/krb5/krb5-1.0/src/appl/gss-sample | * /usr/src/krb5/krb5-1.0/src/appl/gss-sample | ||
Configure the UNIX host to use the Windows 2000 KDC, create a user account in the Windows 2000 directory, and set the password on the account. Verify that you can use | Configure the UNIX host to use the Windows 2000 KDC, create a user account in the Windows 2000 directory, and set the password on the account. Verify that you can use "kinit" to authenticate from the UNIX host to the Windows 2000 KDC. | ||
Additional query words: | Additional query words: | ||
Latest revision as of 13:45, 21 July 2020
The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SUMMARYThe Windows 2000 Kerberos implementation of the Kerberos version 5 protocol is designed to be interoperable with other security services based on the MIT Kerberos version 5 reference implementation (RFC 1510). This interoperability supports the following configurations in Windows 2000:
Interoperability with MIT Kerberos services does require minor configuration changes from the default installation. For example, Windows 2000-based workstations using an MIT-based Kerberos KDC server must be able to locate the Kerberos realm and available KDC servers. Command-line tools are included to assist with the necessary configuration steps. The included tools are:
NOTE: MIT Kerberos interoperability requires a North American version of Windows 2000.
MORE INFORMATIONWARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Using MIT Kerberos ClientsConfiguring the Windows 2000 KDCMIT Kerberos clients can configure the Krb5.conf file to use Windows 2000 Kerberos as the KDC server and the Windows 2000 domain as the Kerberos realm. To support MIT-based client systems, the Windows 2000 Kerberos server must be configured to support MIT password formats.
Creating Computer and User AccountsUse the Active Directory Users and Computers snap-in to create computer and user accounts for the host and user security principals logging on to the Windows 2000 Kerberos domain.
Support for MIT Kerberos ServicesServices running on UNIX computers can be configured with service accounts in the Windows 2000 directory. This allows full interoperability: MIT Kerberos clients and servers on UNIX computers can authenticate using the Windows 2000 Kerberos server, and Windows 2000 clients can authenticate to Kerberos services that support GSS-API.
Using an MIT KDC with a Windows 2000 WorkstationFor a Windows 2000 workstation to use an MIT Kerberos KDC, you must configure both the UNIX KDC server and the workstation as described below.
Setting Trusts with an MIT Kerberos RealmYou can set up a trust relationship between Windows 2000 domains and MIT Kerberos realms. The following procedure sets up a trust between the Windows 2000 domain "MITCOMPAT.NTTEST.MICROSOFT.COM" and the MIT Kerberos Realm "MIT.MICROSOFT.COM."
Using MIT Sample ProgramsThe MIT Kerberos Krb5-1.0 distribution media includes sample programs that demonstrate Kerberos using both the Krb5 and GSS-APIs. These sample programs run properly on a UNIX system configured to use the Windows 2000 KDC. The samples are located in the following folders:
Configure the UNIX host to use the Windows 2000 KDC, create a user account in the Windows 2000 directory, and set the password on the account. Verify that you can use "kinit" to authenticate from the UNIX host to the Windows 2000 KDC. Additional query words: Keywords : kbenv kbnetwork |
Last Reviewed: December 30, 1999 |