How to use kadmin in a Windows environment

What follow are step-by-step instructions on how to create a Cross-Domain Realm PennKey and password in Penn's KDC using the kadmin program.

You first need a KAdmin PennKey and password, which allows you to manage PennKeys for the Microsoft realm or the Penn DNS domain name named in the PennKey. To acquire a KAdmin PennKey, see the central IT contact for your school or center who issues KAdmin PennKeys.

Getting Started with kadmin

Make sure you have:

1. A KAdmin PennKey and password.

2. Download the Windows version of the kadmin installer and execute kadmsetup to initiate the installation.

Create a Cross-Realm Trust PennKey

1. Run kadmin. Use your new KAdmin PennKey and password to authenticate to the kadmin session. At the kadmin prompt type:

   addprinc -e des-cbc-crc:normal +allow_svr krbtgt/MSDomainName@UPENN.EDU

   Example:
   addprinc -e des-cbc-crc:normal +allow_svr krbtgt/ISC-KERBTEST.UPENN.EDU@UPENN.EDU

   You'll be prompted for a password please select a secure password. Please remember this password, you will need to use in Section II item 7 of the "How to Configure Windows 2000 to trust Penn's KDCs" document. Also note that the password is subject to our the password-checking rules.

2. While the principal is being created, you should see something similar to:

   "No policy specified for krbtgt/ISC-KERBTEST.UPENN.EDU@UPENN.EDU
assigning default. Principal created."

3. At the kadm.exe prompt type: exit.