This document describes a procedure for integration of a local Active Directory domain (deployed within a University department or college network) with the OX.AC.UK Kerberos realm by way of a Cross-Realm Trust. This will allow users to access resources within the local AD domain using their Oxford SSO username and password.
The following instructions have been tested using Windows 2008 R2 servers with Windows XP (Professional) SP3, Windows Vista (Enterprise) SP2, and Windows 7 (Enterprise) SP1 clients for the following use cases within the local domain:
- Workstation logons
- File and Print services
- The application of Group Policies
- IIS integrated authentication
- Sharepoint 2010 authentication
- SQL Server authentication
Other use cases may (and probably will) work as the fundamental capability to authenticate users via Kerberos is becoming widespread amongst Windows-based applications (and is indeed Microsoft's preferred mechanism for authentication in an AD environment).
- Obtain a Kerberos cross-realm principal for your Active Directory domain
- Set a password for the principal
- Configure domain controllers (DCs)
- Map user principals to names
- Configure domain members and workstations