Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

How to configure a Win2K Domain Controller to sucessfully use tickets from the MIT KDC to authenticate to the Win2K Domain

  1. Getting Started

  2. Server — Windows 2000 Domain Controller Configuration

  3. Workstation — Windows 2000 Pro or XP Configuration

  4. Notes

I. Getting Started

Make sure you have:

  1. Windows 2000 Service Pack 3 (newly released, ISC testing still pending). The service pack is available from the Microsoft Windows 2000 downloads web site.

  2. The Windows 2000 Server CD.

  3. A KAdmin PennKey for the Active Directory realm for which you are enabling Kerberos authentication, which will resemble this:

    your_pennname/kadmin-MSDOMAIN.UPENN.EDU@UPENN.EDU

    See the KAdmin HOWTO for how to get and use KAdmin PennKeys.

  4. A Cross-Realm trust PennKey. Create this using your KAdmin PennKey with the kadmin application to create a Cross-Realm Trust PennKey for your Windows 2000 domain. The Cross-Realm Trust Pennkey for your Windows 2000 domain should look something like:

    krbtgt/MSDOMAIN.UPENN.EDU@UPENN.EDU

    Note: You'll be prompted to type in a password for your Cross-Realm Trust PennKey. Remember this password! You will need it in Section II, Step #7 below.

    For step by step instructions on how to create a Cross-Realm Trust PennKey, please see the Windows kadmin documentation.

  5. Each of your Active Directory domain users already having been issued a User PennKey in order to use PennKey authentication to your server.

II. Server — Windows 2000 Domain Controller Configuration

  1. Verify that you have Service Pack 2 or later installed. To check this, from the start menu select Run and type "winver.exe" and click OK. This will open a window with following information:

    Version 5.0 (Build 2195: Service Pack2)

  2. The Windows 2000 server needs to be a domain controller with Active Directory (AD) already installed.

  3. The Windows 2000 Domain Controllers records must be uploaded to Penn's DNS Server through Active Directory Assistant. DNS queries are used to locate the Windows 2000 Domain Controllers. For more information on how to use Active Directory Assistant available with the Assignments application please read the Assignments documentation.

  4. Install the Kerberos utility files, which are located on the Windows 2000 CD-ROM in the directory C:\Support\Tools. To begin installation of the utilities run Setup.exe

  5. From a command prompt (cmd.exe) on your domain controller, type the following commands (UPENN.EDU must be in upper case):

    ksetup /addkdc UPENN.EDU kerberos1.upenn.edu
    ksetup /addkdc UPENN.EDU kerberos2.upenn.edu
    ksetup /addkdc UPENN.EDU kerberos3.upenn.edu

    Type ksetup by itself to see a summary of current settings. You should something similar to:

    C:> ksetup
    default realm = isc-kerbtest.upenn.edu (NT Domain)  UPENN.EDU:
    kdc = kerberos1.upenn.edu
    kdc = kerberos2.upenn.edu
    kdc = kerberos3.upenn.edu
    No user mappings defined.

    Note: The KDCs must be listed in this order.

  6. From the Administrative Tools Menu select Active Directory Domains and Trust. Right-click on your domain name, select Properties, and then the tab labeled Trusts.

  7. In the section labeled Domains trusted by this domain click the Add button. Fill in UPENN.EDU in upper case as a Trusted Domain Name. For the password box, you will need to enter the password from when you created your Cross-Realm Trust PennKey in the step above.

    You will receive the following Active Directory Error message, which is normal for this process:

    The UPENN.EDU domain cannot be contacted. If this domain is a windows domain, the trust cannot be set up until the domain is contacted. Click Cancel and try again later. If this is an interoperable non-windows Kerberos realm and you want to set up this side of the trust, click OK.

  8. After completing Steps #6-7, the configuration of trusted domains for Active Directory should have UPENN.EDU listed in the top panel under the "Domains trusted by this domain:". Click OK to continue.

  9. At this point you MUST restart the machine.

  10. After the machine reboots, logon with Admin privileges and create a "name mapping" as follows:

    1. Select Active Directory Users and Computers from the Admin Tools menu.

    2. From the MMC menu select View–>Advanced Features.

    3. Right-click on a user name and select Name Mappings...

    4. Select the tab labeled Kerberos Names and click Add.

    5. In the blank type: "pennKey@UPENN.EDU". The Kerberos name (i.e., PennKey) is case sensitive. Be sure to type it as shown above.

  11. Log-out. At the Log On screen (Ctrl-Alt-Del screen) type in your PennKey@UPENN.EDU. Using your Kerberos password, you should now be able to log on to the Domain Controller as the Active Directory user you mapped in Step #10, above.

III. Workstation — Windows 2000 Pro or XP Configuration

  1. Verify that you have the latest service pack installed. To check this, from the start menu select Run and type "winver.exe" and click OK. This will open a window with following information:

    "Version 5.0 (Build 2195: Service Pack2)".

  2. Install the Kerberos utility files, found on the the Windows 2000 Pro and the Windows XP Pro CD-ROM in the directory C>:\Support\Tools.

    To begin installation of the utilities run Setup.exe found in the tools folder. For Windows XP Pro, click on "complete" when selecting an installation type.

  3. From a command prompt (cmd.exe) on your windows machine, type the following commands (UPENN.EDU must be in upper case:)

    ksetup /addkdc UPENN.EDU kerberos1.upenn.edu
    ksetup /addkdc UPENN.EDU kerberos2.upenn.edu
    ksetup /addkdc UPENN.EDU kerberos3.upenn.edu

  4. Type ksetup by itself to see a summary of current settings. You should see something similar to:

    C:> ksetup

    default realm = isc-kerbtest.upenn.edu (NT Domain) UPENN.EDU:
    kdc = kerberos1.upenn.edu
    kdc = kerberos2.upenn.edu
    kdc = kerberos3.upenn.edu
    No user mappings defined.

  5. At this point you MUST restart the machine.

  6. At the Log On screen (Ctrl-Alt-Del screen) type in your PennKey@UPENN.EDU. Using your Kerberos password, you should now be able to log on to the Domain Controller as the Active Directory user.

Notes

  1. The user login name in Active Directory Step #10, above) does not have to be the same as the user's PennKey. The password on the Windows 2000 machine can also be different from the Kerberos password. However we strongly suggest that user login name in Active Directory be the same as their PennName.

  2. If a user logs on to the Windows 2000 domain using his or her PennKey(Step #10, above), they are in fact using the Active Directory account that has been set up locally on the Windows 2000 machine.

    For example, if there is a name mapping for an account called jjones in Active Directory that maps to joe@UPENN.EDU. When the user logs in as joe, he or she is authenticating to Penn's Kerberos server as joe.

    As far as the Windows 2000 Domain Controller is concerned, however, the same user is logged into the Windows 2000 domain as jjones .

  3. A user on a Windows 2000 Professional and a Windows 2000 Server will not be able to change their Kerberos principal password using CTRL-ALT-DEL. You will receive the following error:

    The User name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.

    ISC has confirmed that Microsoft knows about this bug.

    In order to change your password you will need to use Leash32, the Windows Kerberos ticket manager.
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions
University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania