Windows 7 Kerberos Login using External Kerberos KDC
Tools:
Ksetup: Configures Kerberos realms, KDCs, and Kpasswd servers.
Ktpass: Sets the password, account name mappings, and keytab generation for Kerberos services that use the Windows 2008 Kerberos KDC.
Windows 7 Client:
Run the Ksetup utility to configure the Kerberos KDC server and realm.
1) Create a host princpal for the computer in the Kerberos realm. Use Kerberos utility kadmin. Remember password used.
2) Commandline (as administrator):
C:> Ksetup /setdomain NCSA.EDU
## This is suggested in the documentation for Windows Server 2002, this will drop the computer out of the ad.ncsa.edu domain.
## I have found that this also removes access to ad.ncsa.edu services and allocations. With Windows 2008 server, I have elimited this step.
## Eliminating this allows access to ad.ncsa.edu services and allocations. It also allows access to the computer using the Windows Domain authentication (login).
The client mapping allows NCSA.EDU{}ncsauser and ad.ncsa.edu{}ncsauser access to the same User account
Add external KDCs
C:> Ksetup /addkdc NCSA.EDU kerberos.ncsa.uiuc.edu
C:> Ksetup /addkdc NCSA.EDU kerberos-1.ncsa.uiuc.edu
C:> Ksetup /addkdc NCSA.EDU kerberos-2.ncsa.uiuc.edu
Add computer password - same as password used for creating the computer in the Kerberos realm.
C:> Ksetup /setcomputerpassword password
Restart your computer for the changes to take effect.
Configure Single Sign On
Maps clients to their domain account on computer.
C:> Ksetup /mapuser ncsauser@NCSA.EDU ncsauser
Map clients to local accounts of the same name.
C:> Ksetup /mapuser * *
View Kerberos Settings
C:> Ksetup

