This document describes a procedure for integration of a local Active Directory domain (deployed within a University department or college network) with the OX.AC.UK Kerberos realm by way of a Cross-Realm Trust. This will allow users to access resources within the local AD domain using their Oxford SSO username and password.
The following instructions have been tested using Windows 2008 R2 servers with Windows XP (Professional) SP3, Windows Vista (Enterprise) SP2, and Windows 7 (Enterprise) SP1 clients for the following use cases within the local domain:
- Workstation logons
- File and Print services
- The application of Group Policies
- IIS integrated authentication
- Sharepoint 2010 authentication
- SQL Server authentication
Other use cases may (and probably will) work as the fundamental capability to authenticate users via Kerberos is becoming widespread amongst Windows-based applications (and is indeed Microsoft's preferred mechanism for authentication in an AD environment).
The instructions have been developed from older instructions for Windows Server 2003 and Windows Server 2008 AD installations, and should also work for those operating systems.
This procedure configures the Windows AD domain to trust the OX.AC.UK Kerberos realm (which contains all Oxford SSO users). The procedure include 5 main activities:
- Obtain a Kerberos cross-realm principal for your Active Directory domain
- Set a password for the principal
- Configure domain controllers (DCs)
- Map user principals to names
- Configure domain members and workstations