U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Contact Us
U-M Windows Forest Main

Windows Active Directory Kerberos Interoperability

The U-M Active Directory forest supports some degree of Kerberos interoperability with the U-M campus Kerberos 5 service. Each Active Directory domain functions as a Kerberos 5 realm, providing a common authentication mechanism between Active Directory and MIT-based Kerberos. Another term for Active Directory Kerberos interoperability is "pass-thru" logon. In a nutshell, pass-thru logon means that when a user logs onto a Active Directory workstation, the user's uniqname and UMICH password are used to authenticate directly to the U-M Kerberos realm (UMICH.EDU), and that when the logon is complete, the user has obtained credentials both from U-M Kerberos, and from Windows Kerberos.

The pass-thru user does not have to enter a Windows password. The MIT Kerberos realm resides at the top of a "trust path," which creates a one-way chain of transitive trust, from any Active Directory domain in the forest, to the U-M Kerberos realm.

The ultimate goal for Active Directory Kerberos interoperability at the University of Michigan is to create a "single-signon" Active Directory environment, where a user may logon once with his/her uniqname and UMICH password, and be authorized for all applications to which he/she is entitled. At this point in time, Windows Kerberos interoperability at U-M is somewhat limited, both by legacy Windows applications which do not support Kerberos version 5, and by structural limitations in the way Kerberos interoperability is designed. Please refer to the section Active Directory Kerberos Interoperability Conditions for a discussion of the conditions that are necessary for successful pass-thru logons.

Active Directory Pass-Thru Logons

The diagram below illustrates how a typical Active Directory user, "Babs Jensen," might logon to a Active Directory domain using only her uniqname and UMICH password. Babs does not have to know her Active Directory password. Because domains in the U-M Active Directory forest trust the UMICH.EDU realm, Babs can authenticate in the UMICH.EDU realm during her initial Active Directory logon, and obtain Kerberos tickets from domains in the U-M Active Directory forest. Referring to the diagram below, the Kerberos trust path starts at the domain to which to Windows client computer belongs computer belongs (UMICH), passes through the Windows forest root domain (UMROOT) and ends at the MIT Kerberos realm (UMICH.EDU). The trusts are "transitive," which means that if "A" trusts "B," and "B" trusts "C," then "A" also trusts "C." Windows NT 4 does not support transitive trust, which hindered the construction of a large-scale, campus-wide NT 4 infrastructure. Notice that the trust from UMROOT to the U-M Kerberos realm, UMICH.EDU, is a one-way trust. Active Directory trusts the U-M Kerberos, but the reverse is not true. This one-way trust protects the U-M Kerberos database from security problems that may arise in the Active Directory forest.

Kerberos Pass-Thru

View Larger [+]

Setting Up Pass-Thru Logon

For information on setting up your Windows workstation for pass-through Kerberos logon, see:

To access file shares using Kerberos pass-thru, see Accessing File Shares with Pass-Thru Logon.

All of these can be found in the How To section.