Re: active directory - kerberos realms

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 05/15/04 

Date: Sat, 15 May 2004 03:06:23 +0100

"barabba" <barabba72@hotmail.com> wrote in message
news:8ec33ba5.0405141452.22b22762@posting.google.com...
> Hi all,
>
> we all know that Active Directory uses Kerberos for a number of
> things.
> We also all know that all Domain Controllers run Kerberos by default.
>
> However, I read in a MS book that it is possible to use third pary
> Kerberos service instead of the native Kerberos supplied by DCs.
> Is this true ?
> Does anybody have any more details about this ?

You have misunderstood.
You cannot replace the built in Kerberos implementation with a third party
one as you will not be able to logon.
Since the Microsoft Kerberos implementation uses the PAC (Privilege
Attribute Certificate) in the Kerberos ticket to send all the SIDs need by
the logon process to build your access token.
You can however interoperate with other Kerberos realms. And other products
can you a Windows Active Directory as a Realm.
There are lots of articles and whitepapers on this in TechNet , available
online at http://www.microsoft.com/technet/default.mspx 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these 
newsgroups
"barabba" <barabba72@hotmail.com> wrote in message 
news:8ec33ba5.0405141452.22b22762@posting.google.com...
> Hi all,
>
> we all know that Active Directory uses Kerberos for a number of
> things.
> We also all know that all Domain Controllers run Kerberos by default.
>
> However, I read in a MS book that it is possible to use third pary
> Kerberos service instead of the native Kerberos supplied by DCs.
> Is this true ?
> Does anybody have any more details about this ?
>
> Thanks,
> Bar
Quantcast