This document describes a procedure for integration of a local Active Directory domain (deployed within a University department or college network) with the OX.AC.UK Kerberos realm by way of a Cross-Realm Trust. This will allow users to access resources within the local AD domain using their Oxford SSO username and password.
The following instructions have been tested using Windows 2008 R2 servers with Windows XP (Professional) SP3, Windows Vista (Enterprise) SP2, and Windows 7 (Enterprise) SP1 clients for the following use cases within the local domain:
Other use cases may (and probably will) work as the fundamental capability to authenticate users via Kerberos is becoming widespread amongst Windows-based applications (and is indeed Microsoft's preferred mechanism for authentication in an AD environment).
When Sysdev create your Kerberos cross-realm service principal, they will also assign administration rights over it to the requested /itss principal(s) (of the form oxfordusername/itss) to enable you to set a password on the principal.
The above screenshot shows the /itss user authenticating, setting the password (and the encryption types) for the cross-realm principal using the cpw command, and then checking the current settings on the cross-realm principal using the getprinc command.
The -e switch on cpw defines the encryption type. RC4 is supported in Windows Server 2003 Service Pack 2 and later (and ALL your DCs will need to be at this level or above for RC4 to work). Since AES support was added in Windows Server 2008 it has become the preferred encryption type for the latest versions of Windows Server.
If you have an existing AD-MIT cross-realm trust running on Windows Server 2003 (SP2 or later) and you are migrating your domain controllers to Windows Server 2008 R2, it is important you reset the password and the encryption types as above, and then remove and add the realm trusts again as in section 3.3. Configure Domain Controllers prior to introducing the 2008 R2 DCs. This is to ensure that the key encryption types remain compatible.
NOTE: Make sure that you choose a very strong password, and keep it secure! You'll only need it to create the other side of the trust, so you're not going to need to use it very often. You should also ensure that it conforms to the strength requirements of your Windows system — this may mean three out of four categories of character (lower and upper case, numbers, and special characters).
Configure the domain controller so that it knows about the Kerberos KDC servers. From a command prompt, use ksetup /addkdc ... to add the OX.AC.UK KDCs (invoking ksetup without arguments shows the current settings), as in the following example:
Click on Next. The next screen asks whether the trust should be transitive or non-transitive. If in any doubt choose Transitive as this is generally only likely to be important if you have more than one domain in your Active Directory forest - in which case transitive trust would also probably be the best option.
Click on Next. When prompted for the trust password, enter the password you set on the principal for your domain (i.e. the password from section 3.2. Set a password for the Principal).
Click Next to advance to the New Trust Wizard completion screen. Click Finish to complete the process, and you should see the new realm trust show up in the top panel under Domains trusted by this domain (outgoing trusts).
This is to tell the DC to use RC4 encryption rather than DES encryption for all dealings with the external realm OX.AC.UK. 'ktpass' is included with the Support Tools, but make sure you use the version from the CD appropriate to your O/S and service pack level, or download it from the Microsoft site. Only the Windows Server 2003 versions of 'ktpass.exe' support the switches above.
It's helpful, but not essential, for the Active Directory username and the oxfordusername to match. For example, if they don't match and the user authenticates as (example SSO user) abcd0123 but is authorised to use the Active Directory resources that (example AD user) wxyz9876 has access to, scripts using %username% will use wxyz9876 and this could cause problems if a user has a home directory called abcd0123 with an automatic mapping.
When a user logs in using their OX.AC.UK credentials, the system will not apply roaming profiles or group policy objects (GPOs) associated with that user in the local domain, unless the Allow Cross-Forest User Policy and Roaming User Profiles policy is applied to the workstation they are logging into. The path to this policy in the Group Policy Management Editor is Computer Configuration\Policies\Administrative Templates\System\Group Policy.
Microsoft deprecated the use of DES ciphers from Windows 7 (and Windows Server 2008 R2) onwards, so your Windows 7 clients will require DES ciphers to be re-enabled by setting the Network Security: Configure encryption types allowed for Kerberos policy (under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options) to include all of the following:
Ideally the above encryption type settings (and optionally the default domain as OX.AC.UK) would be established using a GPO for workstations. The optional Assign a default domain for logon policy is under Computer Configuration\Policies\Administrative Templates\System\Logon.
DES ciphers are only necessary to accommodate the OX.AC.UK master TGT, and would not be used for service tickets and/or their session keys; this is a requirement due to another stronger master TGT cipher not being accommodated by Windows OSes. We are planning to add extra ciphers to the master TGT to obviate the need to enable DES ciphers.
SSO Password changes using Ctrl+Alt+Del will not work, so SSO users should be configured to disallow the password changing option using the Remove Change Password Group Policy. The path to this policy in the Group Policy Management Editor is User Configuration\Policies\Administrative Templates\System\Ctrl+Alt+Del Options. If SSO passwords need changing they should be changed using the Webauth Change Password web page instead.