Kerberos Realm Trust: Extra settings

InfoTechdude 156 Reputation points
2020-10-10T13:53:31.15+00:00

Hi,

Kerberos Realm Trust is one of the available trusts in AD Domains and Trusts. So I proceed "as usual" by adding this trust with Wizard:
31355-realm.jpg

This can also be done from command line: netdom trust /add /realm .... . Netdom has also some extra commands about kerberos (/kerberos /EnableTgtDelegation etc):
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc835085(v=ws.11)

My question is this: Because this one is with non windows machine- what else has to be setup? Firewall? What about commands like ksetup/ktpass even kadmin?
Ksetup
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh240190(v=ws.11)
Ktpass
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753771(v=ws.11)

kadmin [-O|-N] [-r realm] [-p principal] [-q query] [[-c cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]

kadmin.local [-r realm] [-p principal] [-q query] [-d dbname] [-e enc:salt ...] [-m] [-x db_args]

Thanks for clear answer!

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,534 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-10-12T02:22:36.407+00:00

    Hello @InfoTechdude ,

    Thank you for posting here.

    We can try the following steps on DC in Windows domain.

    1.Before setting up any trust, we should create secondary zone or set up conditional forwarders to make two realms can find each other on DC in Windows domain and DC in non-Windows domain.

    Create secondary zone or set up conditional forwarders based on the steps in the link below.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9e501d72-5457-421a-b81b-3a1f83ac7b0e/setup-of-trust-relationship-between-2-domains?forum=winservergen

    2.Create a Realm Trust through UI or netdom truat command on DC in Windows domain.

    Create a Realm Trust
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754706(v=ws.11)

    3.We should make some AD (including trust) Port Requirements below listening.

    For AD (including trust) Port Requirements, we can refer to the links below.
    Active Directory and Active Directory Domain Services Port Requirements
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    Active Directory Replication over Firewalls
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN

    For the two commands, if we want to set some settings to support Kerberos realms (Ksetup) and support Kerberos authentication (Ktpass), we can use them if needed.

    Best Regards,
    Daisy Zhou

    0 comments