Last Updated: October 22, 2009

Windows Kerberos Interoperability Conditions

1. The mapped Active Directory user account needs to reside in a domain which is included in a trust path between the MIT Kerberos realm (UMICH.EDU) and the resource (computer) domain.

   All centrally maintained Active Directory user accounts in the forest root domain, UMROOT, are guaranteed to be in a Kerberos trust path, since all trust from the U-M forest to the UMICH.EDU realm flows through UMROOT. W2k user accounts which reside in the same domain as the logon computer also define a correct trust path.

   For some configurations, pass-thru logons will fail. For instance, if an Active Directory user object resides in one Active Directory domain tree (ad.engin.umich.edu), but the computer he/she is using to logon is in another domain tree (adsroot.itcs.umich.edu), the trust path may not include the domain of the user.

2. The trust path must traverse the forest root domain.

   This is a given in the U-M Active Directory forest, since all trust to the UMICH.EDU realm flows thru the forest root domain, UMROOT.

3. If two Active Directory domains in the trust path both contain the same mapped principal name, the account in the domain that is closest to the MIT realm is that one that will be used. This is a result of Kerberos referrals filtering down from the MIT realm to the resource domain, discovering Active Directory resources along the way.

   As an example, consider the case where user bjensen has dual Active Directory accounts; one centrally-maintained account in UMROOT, and another account in a delegated OU of the UMICH domain. If both accounts are mapped to bjensen@UMICH.EDU, then the account in the UMROOT domain will be used for pass-thru logon's. If the mapping is removed from bjensen's UMROOT account, then the bjensen UMICH account will be used for pass-thru logons.

4. The Windows client workstation must be a member of a domain in the Active Directory forest. Windows 2000 and XP are supported. A Windows 2003 server can also be configured to use pass-thru in the same way if needed.

   In an Active Directory forest, all computers within the forest are Kerberos principals, just like users. If a user wants to logon at a computer that is not a member of the U-M Active Directory forest, he/she may be able to use Terminal Services to logon to another computer which is a member of the forest.

5. The Windows client workstations must be prepared for Kerberos pass-thru logons by having certain registry settings.

   ITCS offers a reg file that will prepare a Windows 2000 or XP workstation for pass-thru logon.

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
   Control\Lsa\Kerberos\Domains\UMICH.EDU]
   
   Key:   RealmFlags
   Type:  DWORD
   Value: 8
   
   Key:   KPasswdNames
   Type:  MULTI_SZ
   Value: kerberos.umich.edu
          kerberos-1.umich.edu
          kerberos-2.umich.edu
          kerberos-3.umich.edu
   
   Key:   KdcNames
   Type:  MULTI_SZ
   Value: kerberos.umich.edu
          kerberos-1.umich.edu
          kerberos-2.umich.edu
          kerberos-3.umich.edu
   
   

6. The Active Directory user object to be used for pass-thru logons must be "mapped" to the U-M Kerberos UMICH.EDU realm.

   All centrally-maintained Active Directory  user accounts in the UMROOT domain include a Kerberos mapping of the user to the UMICH.EDU realm.

7. The Active Directory user must have a U-M uniqname, and know their U-M Kerberos password.

   The user's U-M uniqname should match the user's Active Directory account name. This a convention that has been established for the creation of users within the U-M Active Directory

    
   

   
   Information and Technology Services
   
   Contact ITS  |  U-M IT Resources  |  Wolverine Access  |  University of Michigan