Windows Cross-Realm Trust

What follows are step-by-step instructions on how to create a Cross-Domain Realm PennKey and password in Penn's KDC using the kadmin program.

You first need a KAdmin PennKey and password, which allows you to manage PennKeys for the Microsoft realm or the Penn DNS domain name named in the PennKey. To acquire a KAdmin PennKey, see the central IT contact for your school or center who issues KAdmin PennKeys.

Getting Started with kadmin

Make sure you have:

  1. A KAdmin PennKey and password.

  2. Download the Windows version of the kadmin installer and execute kadmsetup to initiate the installation.

Create a Cross-Realm Trust PennKey

  1. Run kadmin. Use your new KAdmin PennKey and password to authenticate to the kadmin session. At the kadmin prompt type:

    addprinc +allow_svr krbtgt/MSDomainName@UPENN.EDU
    addprinc +allow_svr krbtgt/ISC-KERBTEST.UPENN.EDU@UPENN.EDU

    You'll be prompted for a password please select a secure password. Please remember this password, you will need to use it later. Also note that the password is subject to our the password-checking rules.

  2. While the principal is being created, you should see something similar to:

    "No policy specified for krbtgt/ISC-KERBTEST.UPENN.EDU@UPENN.EDU
    assigning default. Principal created."

  3. At the kadm.exe prompt type: exit.