Next: , Previous: Configuring Windows 2000 to use a Heimdal KDC, Up: Windows 2000 compatability


8.2 Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC

See also the Step-by-Step guide from Microsoft, referenced below.

Install Windows 2000, and create a new controller (Active Directory Server) for the domain.

By default the trust will be non-transitive. This means that only users directly from the trusted domain may authenticate. This can be changed to transitive by using the netdom.exe tool. netdom.exe can also be used to add the trust between two realms.

You need to tell Windows 2000 on what hosts to find the KDCs for the non-Windows realm with ksetup, see See Configuring Windows 2000 to use a Heimdal KDC.

This needs to be done on all computers that want enable cross-realm login with Mapped Names.

Then you need to add the inter-realm keys on the Windows KDC. Start the Domain Tree Management tool (found in Programs, Administrative tools, Active Directory Domains and Trusts).

Right click on Properties of your domain, select the Trust tab. Press Add on the appropriate trust windows and enter domain name and password. When prompted if this is a non-Windows Kerberos realm, press OK.

Do not forget to add trusts in both directions (if that's what you want).

If you want to use netdom.exe instead of the Domain Tree Management tool, you do it like this:

     netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword

You also need to add the inter-realm keys to the Heimdal KDC. Make sure you have matching encryption types (DES, Arcfour and AES in case of Longhorn)

Another issue is salting. Since Windows 2000 does not seem to understand Kerberos 4 salted hashes you might need to turn off anything similar to the following if you have it, at least while adding the principals that are going to share keys with Windows 2000.

     [kadmin]
             default_keys = v5 v4

So remove v4 from default keys.

What you probably want to use is this:

     [kadmin]
             default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt

Once that is also done, you can add the required inter-realm keys:

     kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM
     kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM

Use the same passwords for both keys.

Do not forget to reboot before trying the new realm-trust (after running ksetup). It looks like it might work, but packets are never sent to the non-Windows KDC.