Windows Server 2008 Group Policy settings for interoperability with non-Microsoft Kerberos realms

Article ID: 947706 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft provides interoperability features in Windows Server 2008 and in Windows Vista Service Pack 1 (SP1) that enable these computers to use non-Microsoft implementations of the Kerberos protocol for authentication. To enable this configuration, some settings must be modified on computers that will be joined to the non-Microsoft Kerberos realm. In Windows Server 2008, administrators can deploy these configuration settings to multiple computers through Group Policy. This article discusses the Group Policy settings that were added to support interoperability with non-Microsoft Kerberos implementations in Windows Server 2008 and in Windows Vista SP1.
Back to the top | Give Feedback

MORE INFORMATION

The following settings are found in the following location in the Group Policy Management Console:
Computer Configuration\Administrative Templates\System\Kerberos

Policy: Define host name-to-Kerberos realm mappings

This policy setting lets you specify the DNS host names and the DNS suffixes that are mapped to a Kerberos realm.

If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes that are mapped to a Kerberos realm as defined by Group Policy.

If you disable this policy setting, the host name-to-Kerberos realm mappings list that Group Policy defines is deleted.

If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if the realm mappings exist.

To view the list of mappings, enable the policy setting, and then click Show.

To add a mapping, follow these steps:
  1. Enable the policy setting.
  2. Note the syntax, and then click Show.
  3. Click Add, and then enter a realm name, the list of DNS host names, and the DNS suffixes by using the syntax that you noted in step 2.
To remove a mapping, click the mapping entry, and then click Remove.

To edit a mapping, remove the current entry from the list, and then add a new mapping that has different parameters.

Policy: Define interoperable Kerberos version 5 realm settings

This policy setting configures the Kerberos client so that the client can authenticate with interoperable Kerberos version 5 realms, as defined by this policy setting.

If you enable this policy setting, you can view and change the list of interoperable Kerberos version 5 realms and their settings.

If you disable this policy setting, the interoperable Kerberos version 5 realm settings that Group Policy defines are deleted.

If you do not configure this policy setting, the system uses the interoperable Kerberos version 5 realm settings that are defined in the local registry, if the realm settings exist.

To view the list of interoperable Kerberos version 5 realms, enable the policy setting, and then click Show.

To add an interoperable Kerberos version 5 realm, follow these steps:
  1. Enable the policy setting.
  2. Note the syntax, and then click Show.
  3. Click Add, enter the interoperable Kerberos version 5 realm name in the Value Name box, and then type the definition of settings in the Value box. Use the syntax that you noted in step 2.
To remove an interoperable Kerberos version 5 realm, click the Kerberos version 5 entry, and then click Remove.

To edit a mapping, remove the current entry from the list, and then add a new mapping that has different parameters.

Policy: Require strict KDC validation

This policy setting controls the Kerberos client's behavior when the client validates the Key Distribution Center (KDC) certificate.

If you enable this policy setting:
  • The Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions.
  • The Kerberos client requires that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain.
  • If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a certification authority in the NTAUTH store.
  • If the computer is not joined to a domain, the Kerberos client allows for the root certification authority certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions.
Back to the top | Give Feedback

REFERENCES

For more information about Kerberos 5 interoperability, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/bb742433.aspx
(http://technet.microsoft.com/en-us/library/bb742433.aspx)
Back to the top | Give Feedback

Properties

Article ID: 947706 - Last Review: March 8, 2008 - Revision: 1.0
APPLIES TO
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Standard
Keywords: 
kbinfo kbpubtypekc kbhowto KB947706
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top