U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Help
Contact Us
U-M Windows Forest Main

Windows Kerberos Interoperability Conditions

A number of preconditions must be met before pass-thru logons will complete successfully in the U-M Active Directory forest. The following list details these requirements:

  1. The mapped Active Directory user account needs to reside in a domain which is included in a trust path between the MIT Kerberos realm (UMICH.EDU) and the resource (computer) domain.

    All centrally maintained Active Directory user accounts in the forest root domain, UMROOT, are guaranteed to be in a Kerberos trust path, since all trust from the U-M forest to the UMICH.EDU realm flows through UMROOT. W2k user accounts which reside in the same domain as the logon computer also define a correct trust path.

    For some configurations, pass-thru logons will fail. For instance, if an Active Directory user object resides in one Active Directory domain tree (ad.engin.umich.edu), but the computer he/she is using to logon is in another domain tree (adsroot.itcs.umich.edu), the trust path may not include the domain of the user.

  2. The trust path must traverse the forest root domain.

    This is a given in the U-M Active Directory forest, since all trust to the UMICH.EDU realm flows thru the forest root domain, UMROOT.

  3. If two Active Directory domains in the trust path both contain the same mapped principal name, the account in the domain that is closest to the MIT realm is that one that will be used. This is a result of Kerberos referrals filtering down from the MIT realm to the resource domain, discovering Active Directory resources along the way.

    As an example, consider the case where user bjensen has dual Active Directory accounts; one centrally-maintained account in UMROOT, and another account in a delegated OU of the UMICH domain. If both accounts are mapped to bjensen@UMICH.EDU, then the account in the UMROOT domain will be used for pass-thru logon's. If the mapping is removed from bjensen's UMROOT account, then the bjensen UMICH account will be used for pass-thru logons.

  4. The Windows client workstation must be a member of a domain in the Active Directory forest. Windows 2000 and XP are supported. A Windows 2003 server can also be configured to use pass-thru in the same way if needed.

    In an Active Directory forest, all computers within the forest are Kerberos principals, just like users. If a user wants to logon at a computer that is not a member of the U-M Active Directory forest, he/she may be able to use Terminal Services to logon to another computer which is a member of the forest.

  5. The Windows client workstations must be prepared for Kerberos pass-thru logons by having certain registry settings.

    ITS offers a reg file that will prepare a Windows 2000 or XP workstation for pass-thru logon.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\Lsa\Kerberos\Domains\UMICH.EDU]
     
    Key: RealmFlags
    Type: DWORD
    Value: 8
     
    Key: KPasswdNames
    Type: MULTI_SZ
    Value: kerberos.umich.edu
    kerberos-1.umich.edu
    kerberos-2.umich.edu
    kerberos-3.umich.edu
     
    Key: KdcNames
    Type: MULTI_SZ
    Value: kerberos.umich.edu
    kerberos-1.umich.edu
    kerberos-3.umich.edu
  6. The Active Directory user object to be used for pass-thru logons must be "mapped" to the U-M Kerberos UMICH.EDU realm.

    All centrally-maintained Active Directory  user accounts in the UMROOT domain include a Kerberos mapping of the user to the UMICH.EDU realm.

  7. The Active Directory user must have a U-M uniqname and know their UMICH password.

    The user's U-M uniqname should match the user's Active Directory account name. This a convention that has been established for the creation of users within the U-M Active Directory.