Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › How To Configure SiteMinder Kerberos Authentication › Configure Kerberos External Realm on Windows Host

Configure Kerberos External Realm on Windows Host

For the Windows workstation to use a Kerberos KDC deployed on UNIX, you must configure both the Kerberos KDC server and the workstation.

In the Kerberos realm, create a host principal for the Windows host. Use the following command:

kadmin.local: addprinc host/machine-name.dns-domain_name.

For example, if the Windows workstation name is W2KW and the Kerberos realm name is EXAMPLE.COM, the principal name is host/w2kw.example.com.

Because a Kerberos realm is not a Windows domain, the KDC operating environment must be configured as a member of a workgroup, which happens automatically when you follow this process:

1. Remove the host from the Windows domain.
2. Add the test user, for example, testkrb, to the local user database.
3. Add the Kerberos Realm:

   ksetup /SetRealm EXAMPLE.COM
   

4. Restart the host.
5. Add the KDC :

   ksetup /addkdc EXAMPLE.COM rhasmit
   

6. Set a new password:

   ksetup /setmachpassword password
   

   Note: The password used here is same as the one used while creating the host principal account in the MIT KDC.

7. Restart the host.

   Note: Whenever changes are made to the external KDC and realm configuration, a restart is required.

8. Set the Realm Flag

   ksetup /SetRealmFlags EXAMPLE.COM delegate
   

9. Run AddKpasswd:

   ksetup /AddKpasswd EXAMPLE.COM rhasmit
   

10. Use Ksetup to configure single sign on to local workstation accounts by defining the account mappings between the Windows host accounts to Kerberos principals. For example:

    ksetup /mapuser testkrb@EXAMPLE.COM testkrb
    ksetup /mapuser * *
    

    The second command maps clients to local accounts of the same name. Use Ksetup with no arguments to see the current settings.