Enabling Kerberos V5 authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enabling Kerberos V5 authentication

The Kerberos V5 authentication protocol is enabled by default for all computers joined to a Windows Server 2003 or Windows 2000 domain during installation. Kerberos provides single sign-on to resources within a domain, and to resources residing in trusted domains.

You can control certain aspects of Kerberos configuration through Kerberos security settings which are part of the account policies. For example, you can set the lifetime of users' Kerberos V5 tickets. As an administrator, you can use the default Kerberos policy or you can change it to suit the needs of your environment.

Successful authentication using Kerberos V5 requires that both the client and server computers must run the Windows 2000, Windows Server 2003 family, or Windows XP Professional operating system.

If a client system tries to authenticate to a server running another version of the Windows operating system, the NTLM protocol will be used as the authentication mechanism.

Note

• Computers using Kerberos for authentication must have their time settings synchronized with a common time service within five minutes or authentication fails. Computers running members of the Windows Server 2003 family, Windows XP Professional, or Windows 2000 automatically update the current time, using the domain controller as a network time service.

For more information about configuring Kerberos policy, see Kerberos Policy and Account Policies.

For more information about Kerberos, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site.