Windows 2000 Kerberos Guidelines

These pages are currently being updated. New versions will be available soon.

Windows 2000 adopts Kerberos as the standard network authentication protocol and its implementation of Kerberos 5 is designed to utilize MIT's Kerberos V5 standard. This web page is provided to assist departmental information technology managers to set up authentication for Windows 2000 server domains to CIT's Kerberos realm. There are several possible scenarios for configuring Kerberos. The method described here is a "one-way trust" from a Windows 2000 domain to the Kerberos 5 realm. See Microsoft's web site for a technical introduction to how Windows 2000 implements the Kerberos version 5 standard.

Active Directory authentication is currently available for Windows 2000 Server and Professional machines only. Microsoft recently released client extensions for Active Directory for NT and Win-9x machines but Kerberos authentication is not supported. See the Microsoft website for more information on Active Directory Client Extensions for Windows 95/98 and NT.

Verify that you have Service Pack 1 or later installed. To check this, from the start menu select Run and type "winver.exe" and click OK. This will open a window similar to the one shown below. The level of service pack installed is indicated after the operating system version number. Authentication to MIT's Kerberos will not work without Service Pack 1 installed. The service pack is available from the Microsoft Windows 2000 downloads web site.

The Windows 2000 server needs to be a domain controller with Active Directory (AD) already installed. If Active Directory is already installed please skip to #3 below.

The details of installing Active Directory are beyond the scope of this document. Microsoft's web site provides documentation on installing Active Directory as well as some basic concepts of DNS and Active Directory that may be useful. AD is installed with the Active Directory Installation Wizard by running "dcpromo.exe." Some important tips regarding AD installation:

Make sure that your system's name matches the hostname of the Windows 2000 server. If, for example, the hostname of your server is bar.foo.cornell.edu then it is important that the system name be set to bar before installing Active Directory. The name of your system can be viewed by right clicking on My Computer on the Windows desktop and selecting properties. The system name is shown under the tab labeled Network Identification:

When the Installation Wizard asks to specify a new domain name you should choose the domain suffix of your DNS domain. In the example of bar.foo.cornell.edu, the domain suffix would be foo.cornell.edu:

After entering the new domain name, click Next >. The Installation Wizard will then request a NetBIOS domain name. Leave the default name, in this case foo, as it appears in the entry blank.

If, after selecting Next, the Wizard returns an error message—"Wizard cannot contact DNS server that handles the name foo.cornell.edu to determine if it supports dynamic update"—then the DNS name is not set up with CIT's DNS servers. You will need to contact CIT at hostmaster@cornell.edu regarding your domain setup.

If the Active Directory Installation Wizard prompts you to install DNS server during the AD installation this indicates that Dynamic DNS has not been set up with Cornell's DNS servers. See #3 below.

After installing Active Directory, when the machine is rebooted, it will take a few minutes before the logon window appears.

To allow Windows 2000 Domain Controllers to send automatic updates with SRV records to CIT's DNS servers, Dynamic DNS must be installed. DNS queries are used to locate the Windows 2000 Key Distribution Center (KDC), and without the DNS records for the KDC, Kerberos authentication will not work. Information on how to configure Dynamic DNS with CIT's servers can be found at http://www.cit.cornell.edu/computer/system/win2000/dns/.

Install the Kerberos utility files, which are located on the Windows 2000 CD-ROM in the directory <CD>:\Support\Tools. To begin installation of the utilities run Setup.exe.

If you would like additional Kerberos utilities, such as ktpass, you can install the Windows 2000 Resource Kit. These additional utilities, however, are not needed for cross-realm authentication to work.

Send an e-mail to kerberos-admin@cornell.edu to request that your domain be added to CIT's Kerberos server. Do not forget to include the domain name that you want to be added. After the name has been added you will receive confirmation by e-mail, as well as a password that will be needed before continuing to configure Kerberos on the Windows 2000 machine from #6 below.

From a command prompt (cmd.exe) on your domain controller, type the following commands (CIT.CORNELL.EDU must be in upper case):
ksetup /addkdc CIT.CORNELL.EDU kerberos.cit.cornell.edu
ksetup /addkdc CIT.CORNELL.EDU kerberos2.cit.cornell.edu

Type ksetup by itself to see a summary of current settings. Your output should be similar to the following example:

From the Administrative Tools Menu select Active Directory Domains and Trust. Right-click on your domain name (in this example, foo.cornell.edu), select Properties, and then the tab labeled Trusts.

In the section labeled Domains trusted by this domain click the Add button. Fill in "CIT.CORNELL.EDU" in upper case as a Trusted Domain Name. For the password box, you will need to enter the password you received in Step #6, above. Click OK.

You will receive a warning message reproduced below. Select OK.

After completing Steps #7-9, the configuration of trusted domains for Active Directory should look similar to the image below. Click OK to continue.

At this point you MUST restart the machine.

After the machine reboots, logon to the local machine with Admin privileges and create a name mapping as follows:

Select Active Directory Users and Computers from the Admin Tools menu.

From the MMC menu select View–>Advanced Features.

Right-click on a user name and select Name Mappings...

Select the tab labeled Kerberos Names and click Add.

In the blank type: "netid@CIT.CORNELL.EDU". The Kerberos name is case sensitive—be sure to type it as shown in this example:

Log-out. At the Log On screen (Ctrl-Alt-Del screen) select the domain indicated as in the Kerberos Realm.

Using your Kerberos password, you should now be able to log on to the Domain Controller as the Active Directory user you mapped in Step #12, above.

Additional Notes:

The user login name in Active Directory (Step #12, above) does not have to be the same as the user's netid. The password on the Windows 2000 machine can also be different from the Kerberos password.
If a user logs on to the Windows 2000 domain using his or her CIT netid (Step #12, above), they are in fact using the Active Directory account that has been set up locally on the Windows 2000 machine.

For example, if there is a name mapping for an account called user3 in Active Directory that maps to xyz3@CIT.CORNELL.EDU. When the user logs in as xyz3, he or she is authenticating to CIT's server as xyz3. As far as the Windows 2000 Domain Controller is concerned, however, the same user is logged into the Windows 2000 domain as user3.
Access to NTLM resources does not happen transparently for the reason described above. The net use command, for example, cannot be executed to map a shared directory. To work around this problem, use the Map Network Drive command on the graphical user interface. It will be necessary to select a different user name and use a logon name and password that exist in the Windows 2000 domain. Be sure to check the Reconnect at logon box.
Windows 2000 will allow name mappings to the same Kerberos principal for more than one Active Directory User. Doing this, however, will prevent logging in as either of the two users—generating the obscure message: "Insufficient System Resources exist to complete the requested service."

Windows 2000 | Dynamic DNS | Kerberos

Last updated: May 25, 2007