Kerberos authentication for network login on non-Windows networks

Windows can be configured to use Kerberos authentication for network login on non-Windows networks. Find out how in this tip.

It isn't very difficult to configure Windows XP to authenticate network login into a third-party realm. Keep in mind, though, that Windows must be able to locate the realm before authentication can work. If you have trouble getting third-party Kerberos authentication to work, then try using the NSLOOKUP command to make sure Windows can access the DNS records that are associated with the servers in the Kerberos realm. For years, Windows...

has used Kerberos as an authentication protocol. What you might not realize, though, is that Kerberos is not exclusively a Microsoft technology. Other operating systems can, and often do, make use of Kerberos, so it's possible to configure Windows to use Kerberos authentication when logging into a non-Windows-based Kerberos realm.

Before I begin…

The first thing that you have to understand is that a third-party Kerberos realm is not the same as a Windows domain.

Learn about Windows XP
Sharing files and folders in Windows XP

Windows XP and Windows Server 2003 Encryption for Remote Desktops
Therefore, many of the authentication-related activities that Windows performs automatically can no longer be taken for granted. You will have to configure Windows to locate the Kerberos realm, the Kerberos password servers and the Key Distribution Center servers.

In addition, for this to work, do not configure Windows XP as a domain member. After all, a Kerberos realm is not a Windows domain. Windows should simply be configured to act as a part of a workgroup.

Adding a KDC

The first thing that we must do is to notify Windows of one or more available KDC servers. To do so, open a Command Prompt window, and enter the following commands:

Ksetup /addkdc REALM.CONTOSO.COM kdc.realm.contoso.com
Ksetup /addkdc REALM.CONTOSO.COM kdc-master.realm.contoso.com

These commands configure Windows to use two different KDCs for realm.contoso.com. You must replace realm.contoso.com with the name of the realm that you are attaching to.

Adding a password server

If the Kerberos realm that the workstation will be authenticating into supports the Kerberos change password protocol, you can configure Windows XP to use a Kerberos password server. To do so, enter the following command:

Ksetup /addkpasswd REALM.CONTOSO.COM kdc-master.realm.contoso.com

Mapping a user account

If a user is not logged into a domain, then Windows XP makes use of local user accounts. Because a Kerberos realm is not a domain, users must sign in using the workstation's local user accounts. You must create a mapping so Windows understands that a local user account is linked to an account within the Kerberos realm.

For example, suppose that my local user account name was Brien, and my account within the Kerberos realm was Brien@realm.contoso.com. I would need to create a mapping that tells Windows that these two accounts should be treated as one and the same. To do so, I would enter the following command:

Ksetup /mapuser Brien@REALM.CONTOSO.COM Brien

Once you have entered all of the commands, you have to restart the Windows machine in order for the changes to take effect.

It isn't very difficult to configure Windows XP to authenticate into a third-party realm. Keep in mind that Windows must be able to locate the realm before authentication can work. If you have trouble getting third-party Kerberos authentication to work, then try using the NSLOOKUP command to make sure that Windows can access the DNS records associated with the servers in the Kerberos realm.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.


This was first published in November 2007

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close