Before I begin…
The first thing that you have to understand is that a third-party Kerberos realm is not the same as a Windows domain.
In addition, for this to work, do not configure Windows XP as a domain member. After all, a Kerberos realm is not a Windows domain. Windows should simply be configured to act as a part of a workgroup.
Adding a KDC
The first thing that we must do is to notify Windows of one or more available KDC servers. To do so, open a Command Prompt window, and enter the following commands:
Ksetup /addkdc REALM.CONTOSO.COM kdc.realm.contoso.com
Ksetup /addkdc REALM.CONTOSO.COM kdc-master.realm.contoso.com
These commands configure Windows to use two different KDCs for realm.contoso.com. You must replace realm.contoso.com with the name of the realm that you are attaching to.
Adding a password server
If the Kerberos realm that the workstation will be authenticating into supports the Kerberos change password protocol, you can configure Windows XP to use a Kerberos password server. To do so, enter the following command:
Ksetup /addkpasswd REALM.CONTOSO.COM kdc-master.realm.contoso.com
Mapping a user account
If a user is not logged into a domain, then Windows XP makes use of local user accounts. Because a Kerberos realm is not a domain, users must sign in using the workstation's local user accounts. You must create a mapping so Windows understands that a local user account is linked to an account within the Kerberos realm.
For example, suppose that my local user account name was Brien, and my account within the Kerberos realm was Brien@realm.contoso.com. I would need to create a mapping that tells Windows that these two accounts should be treated as one and the same. To do so, I would enter the following command:
Ksetup /mapuser Brien@REALM.CONTOSO.COM Brien
Once you have entered all of the commands, you have to restart the Windows machine in order for the changes to take effect.
It isn't very difficult to configure Windows XP to authenticate into a third-party realm. Keep in mind that Windows must be able to locate the realm before authentication can work. If you have trouble getting third-party Kerberos authentication to work, then try using the NSLOOKUP command to make sure that Windows can access the DNS records associated with the servers in the Kerberos realm.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
This was first published in November 2007