Enabling Interoperability with Kerberos Clients and Servers Running Other Operating Systems

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Some organizations have clients running UNIX or other operating systems. To allow for the secure exchange of information with other clients, you can configure the clients to authenticate to Windows Server 2003 domain controllers in order to obtain the required credentials. Similarly, Windows clients can be configured to authenticate to other KDCs.

To enable interoperability with UNIX or other clients, you must:

  • Establish a Realm trust, a particular type of external trust with a UNIX realm. This enables an authentication that is completed in one realm or domain to be trusted by another realm or domain.

  • Create account mappings so that other clients have mapped accounts in Active Directory. This enables other clients to access resources that are secured in a Windows environment.

Establishing Trusts with Kerberos Realms

To enable authentication between Windows domains and UNIX realms or other clients, you must establish a one-way or two-way trust between the two so that tickets generated in one are recognized and accepted by resources in the other. For example, a one-way trust relationship in which a Kerberos realm trusts a Windows Server 2003 domain allows Windows Server 2003 users to log on to the Kerberos realm; in other words, the UNIX server accepts or trusts the authentication performed by the Windows Server 2003 KDC. Another trust can be created so that users logged on to the Kerberos realm can access resources in the Windows Server 2003 domain.

Configuring Accounts for Kerberos Clients Running Other Operating Systems

After you have established trusts between a UNIX or other realm and a Windows domain, you must coordinate accounts, enabling users to authenticate and access resources.

User accounts

You must configure clients to authenticate to the appropriate KDC. For example, you might configure a Linux desktop to authenticate to a Windows Server 2003–based KDC at logon. Most Kerberos clients allow for the specification of a KDC for authentication as part of the logon to the local computer. Windows Server 2003 provides the Kerberos KDC services as part of the domain controller, so the clients log on to the domain controller itself. The domain controller locates the KDC by means of service location records in the DNS. This frees the administrator from having to maintain explicit Kerberos configuration data for each client.

Service accounts

Windows Server 2003 supports the authentication of other Kerberos services in a Windows Server 2003 domain. If you require services to access resources across the domain or realm, you must create service accounts in Active Directory to represent those services. For example, you can make a UNIX-based telnet service accessible to Kerberos clients in a Windows domain by creating a service account in Active Directory for that service. In this case, the telnet service is part of the Windows domain, rather than the other Kerberos realm, as is the case with trust relationships established between Windows and other Kerberos realms.

Account mappings

When a Windows Server 2003 domain trusts a Kerberos realm, the principals in the Kerberos realm do not contain the group associations that are used for access control in the Windows Server 2003 environment. You can use account mapping in the Windows Server 2003 domain to provide authorization information for Kerberos principals from trusted realms. You can either map accounts one-to-one, by mapping each account in a realm to a corresponding account in the Windows Server 2003 domain, or you can use one-to-many mapping, by which multiple individual accounts in a realm are mapped to one account in the Windows Server 2003 domain. For more information about account mapping, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).

To ensure seamless interoperability, you must keep the accounts in the Kerberos realm and the Windows Server 2003 domain synchronized. You can use ADSI and Lightweight Directory Access Protocol (LDAP) in Active Directory to synchronize accounts, or use metadirectory technology such as Zoomit Via.