Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All


Published: May 25, 2011

Updated: April 17, 2012

Applies To: Windows Server 2008 R2

Performs tasks that are related to setting up and maintaining Kerberos protocol and the Key Distribution Center (KDC) to support Kerberos realms, which are not also Windows domains. For examples of how this command can be used, see the Examples section in each of the related subtopics.

[/setrealm <DNSDomainName>] 
[/mapuser <Principal> <Account>] 
[/addkdc <RealmName> <KDCName>] 
[/delkdc <RealmName> <KDCName>]
[/addkpasswd <RealmName> <KDCPasswordName>] 
[/delkpasswd <RealmName> <KDCPasswordName>]
[/server <ServerName>] 
[/setcomputerpassword <Password>]
[/removerealm <RealmName>]  
[/domain <DomainName>] 
[/changepassword <OldPassword> <NewPassword>] 
[/setrealmflags <RealmName> [sendaddress] [tcpsupported] [delegate] [ncsupported] [rc4]] 
[/addrealmflags <RealmName> [sendaddress] [tcpsupported] [delegate] [ncsupported] [rc4]] 
[/delrealmflags [sendaddress] [tcpsupported] [delegate] [ncsupported] [rc4]] 
[/addhosttorealmmap] <HostName> <RealmName>]  
[/delhosttorealmmap] <HostName> <RealmName>]  
[/setenctypeattr] <DomainName> {DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-MD5 | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96}
[/getenctypeattr] <DomainName>
[/addenctypeattr] <DomainName> {DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-MD5 | AES128-CTS-HMAC-SHA1-96 | AES256-CTS-HMAC-SHA1-96}
[/delenctypeattr] <DomainName>


Parameter Description


Makes this computer a member of a Kerberos realm.


Maps a Kerberos principal to an account.


Defines a KDC entry for the given realm.


Deletes a KDC entry for the realm.


Adds a Kpasswd server address for a realm.


Deletes a Kpasswd server address for a realm.


Allows you to specify the name of a Windows computer on which to apply the changes.


Sets the password for the computer's domain account (or host principal).


Deletes all information for the specified realm from the registry.


Allows you to specify a domain (if <DomainName> has not been set by using /domain).


Allows you to use the Kpasswd to change the logged on user's password.


Lists the available realm flags that ksetup can detect.


Sets realm flags for a specific realm.


Adds additional realm flags to a realm.


Deletes realm flags from a realm.


Analyzes the Kerberos configuration on the given computer. Adds a host to realm mapping to the registry.


Adds a registry value to map the host to the Kerberos realm.


Deletes the registry value that mapped the host computer to the Kerberos realm.


Sets one or more encryption types trust attributes for the domain.


Gets the encryption types trust attribute for the domain.


Adds encryption types to the encryption types trust attribute for the domain.


Deletes the encryption types trust attribute for the domain.


Displays Help at the command prompt.

Ksetup is used to change the computer settings for locating Kerberos realms. In non-Microsoft Kerberos–based implementations, this information is usually kept in the Krb5.conf file. In Windows Server operating systems, it is kept in the registry. You can use this tool to modify these settings. These settings are used by workstations to locate Kerberos realms and by domain controllers to locate Kerberos realms for cross-realm trust relationships.

Ksetup initializes registry keys that the Kerberos Security Support Provider (SSP) uses to locate a KDC for the Kerberos realm if the computer is running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 and is not a member of a Windows domain. After configuration, the user of a client computer that is running the Windows operating system can log on to accounts in the Kerberos realm.

The Kerberos version 5 protocol is the default for network authentication on computers running Windows XP Professional, Windows Vista, and Windows 7. The Kerberos SSP searches the registry for the domain name of the user's realm and then resolves the name to an IP address by querying a DNS server. The Kerberos protocol can use DNS to locate KDCs by using only the realm name, but it must be specially configured to do so.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft