Kerberos authentication for network login on non-Windows networks

Before I begin…

The first thing that you have to understand is that a third-party Kerberos realm is not the same as a Windows domain.

Learn about Windows XP Sharing files and folders in Windows XP Windows XP and Windows Server 2003 Encryption for Remote Desktops

Therefore, many of the authentication-related activities that Windows performs automatically can no longer be taken for granted. You will have to configure Windows to locate the Kerberos realm, the Kerberos password servers and the Key Distribution Center servers.

In addition, for this to work, do not configure Windows XP as a domain member. After all, a Kerberos realm is not a Windows domain. Windows should simply be configured to act as a part of a workgroup.

Adding a KDC

The first thing that we must do is to notify Windows of one or more available KDC servers. To do so, open a Command Prompt window, and enter the following commands:

Ksetup /addkdc REALM.CONTOSO.COM kdc.realm.contoso.com
Ksetup /addkdc REALM.CONTOSO.COM kdc-master.realm.contoso.com

These commands configure Windows to use two different KDCs for realm.contoso.com. You must replace realm.contoso.com with the name of the realm that you are attaching to.

Adding a password server

If the Kerberos realm that the workstation will be authenticating into supports the Kerberos change password protocol, you can configure Windows XP to use a Kerberos password server. To do so, enter the following command:

Ksetup /addkpasswd REALM.CONTOSO.COM kdc-master.realm.contoso.com

Mapping a user account

If a user is not logged into a domain, then Windows XP makes use of local user accounts. Because a Kerberos realm is not a domain, users must sign in using the workstation's local user accounts. You must create a mapping so Windows understands that a local user account is linked to an account within the Kerberos realm.

For example, suppose that my local user account name was Brien, and my account within the Kerberos realm was Brien@realm.contoso.com. I would need to create a mapping that tells Windows that these two accounts should be treated as one and the same. To do so, I would enter the following command:

Ksetup /mapuser Brien@REALM.CONTOSO.COM Brien

Once you have entered all of the commands, you have to restart the Windows machine in order for the changes to take effect.

It isn't very difficult to configure Windows XP to authenticate into a third-party realm. Keep in mind that Windows must be able to locate the realm before authentication can work. If you have trouble getting third-party Kerberos authentication to work, then try using the NSLOOKUP command to make sure that Windows can access the DNS records associated with the servers in the Kerberos realm.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows security in the enterprise Data encryption best practices in Windows Windows Mobile security tips for the on-the-go pro Security tools that can boost Windows mobile security Data encryption with EFS and BitLocker, step by step Windows mobile security: Get it locked down Prevent data loss with Encrypting File System (EFS) Security tools that limit user logon in Windows New Windows security tool protects users from keyloggers: XecureCK Windows security management: Ask the security expert roundup How can I prevent Internet access with Windows SBS? Microsoft Windows XP Security Copying files across drives I reinstalled my OS and lost all my files! Yes or no on Microsoft Firewall and other Windows hardening advice Can I avoid re-installing Windows XP? Windows XP SP2 installation fouling up system startup? Process Explorer 10.2: Client security aid BIOS password hacking Russinovich: Rootkits are more serious than ever VPN connection issues post Windows XP SP2 upgrade Securing Remote Desktop Network Infrastructure security Plan for a security breach, step by step Hunting down a hacker Contacting the domain controller Define server roles, counterattack zero-day threats Unsecured devices worry IT professionals Step-by-step guide: Hacking file servers Step 1: Exploiting a missing patch Step 2: Sniffing the network for juicy info Step 4: Executing related hacks that indirectly affect file servers Step 3: Stumbling across sensitive files RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary patch  (SearchWindowsSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.