JSI Tip 5949. How do I use the Kerberos setup tool to configure Windows 2000 clients to use an MIT Kerberos server instead of using a Windows 2000 domain for user authentication?

Jerold Schulman

November 10, 2002

3 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q324143 contains:

IN THIS TASK

  • SUMMARY

    • KSetup Syntax

    • Determine Current Settings

    • Set the Kerberos Domain

    • Add a Kerberos Domain Controller

    • Set the Local Computer Account Password

    • Map a Kerberos User to a Local User

SUMMARY

KSetup is a command-line tool that configures Windows 2000 clients to use an MIT Kerberos server instead of using a Windows 2000 domain for user authentication. This article describes how to use KSetup to configure a computer for Kerberos authentication.

back to the top

KSetup Syntax

KSetup is part of the Windows 2000 Resource Kit. The KSetup tool updates the Windows 2000 registry to force Windows to modify the settings for authentication so that the computer can talk to MIT Kerberos domain controllers. When you run KSetup on clients, it changes the way that information is looked up during authentication. Additionally, it adjusts how users are authenticated. You can use KSetup on servers to provide cross-realm trust relationships that allow single sign-on across UNIX and Windows-based computers.

The following text is the syntax of the KSetup tool:

  • ksetup [/SetRealm DnsDomainName] [/MapUser Principal Account] [/AddKdc RealmNameKdcName] [/DelKdc RealmNameKdcName] [/AddKpasswd RealmnameKpasswdName] [/DelKpasswd RealmnameKpasswdName] [/Server Servername] [/SetComputerPassword Password] [/Domain DomainName] [/ChangePassword OldPasswdNewPasswd] [/?] [/Help ]

The following list describes the parameters of this tool:

  • /SetRealm DnsDomainName: This parameter sets the name of a Kerberos realm.

  • /MapUser KerbNameLocalName: This parameter maps the name of a Kerberos principal to an account (the wildcard character [*] indicates any or all).

  • /AddKdc RealmnameKdcname: This parameter adds an additional Key Distribution Center (KDC) address for the specified realm.

  • /DelKdc RealmNameKdcName: This parameter deletes instances of the KDC address for the realm.

  • /AddKpasswd RealmnameKpasswdName: This parameter adds the specified Kpasswd server address for a realm.

  • /DelKpasswd RealmnameKpasswdName: This parameter deletes the specified Kpasswd server address for a realm.

  • /Server servername: This parameter specifies the name of a Windows 2000-based computer on which to make the change.

  • /SetComputerPassword Passwd: This parameter sets the local computer password.

  • /Domain DnsDomainName: This parameter uses the specified domain.

  • /ChangePassword OldPasswdNewPasswd: This parameter changes the logged-on user's password by using Kpassword.

  • /? or /Help: This parameter displays the usage screen.

back to the top

Determine Current Settings

To determine the current settings, run the KSetup tool without any parameters.

back to the top

Set the Kerberos Domain

To set the Kerberos domain for the current computer, use the /domain parameter:

  • ksetup /domain domain.companyname.com

back to the top

Add or Remove a Kerberos Domain Controller

To add a Kerberos KDC, use /addkdc with the name of the domain that this KDC applies to and the address of the server for this domain. For example:

  • ksetup /addkdc domain.companyname.com kerbsrv.companyname.com

To remove, use the /delkdc parameter:

  • ksetup /delkdc domain.companyname.com kerbsrv.companyname.com

back to the top

Set the Local Computer Account Password

To set the password for the local computer account on the Kerberos server, use /setcomputerpassword. For example:

  • ksetup /setcomputerpassword password

back to the top

Map a Kerberos User to a Local User

To map a Kerberos user to a local user account to turn on single sign-on across servers, use the /MapUser parameter:

You can also map users using wildcard characters (*). The special token AllUsers refers to all the users in a Kerberos domain and the wildcard character defines all the users in the local domain. For example, to map all users on a Kerberos KDC to the corresponding user on the local computer, run the following command:

  • ksetup /mapuser AllUsers *

NOTE: On a domain controller, this command maps users between the two authentication systems and allows both UNIX and Windows clients to log on to servers using the Kerberos authentication system.

back to the top



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like