IT Services

Oxford SSO Integration of AD via a Cross-Realm Trust

1. Overview

This document describes a procedure for integration of a local Active Directory domain (deployed within a University department or college network) with the OX.AC.UK Kerberos realm by way of a Cross-Realm Trust. This will allow users to access resources within the local AD domain using their Oxford SSO username and password.

The following instructions have been tested using Windows 2008 R2 servers with Windows XP (Professional) SP3, Windows Vista (Enterprise) SP2, and Windows 7 (Enterprise) SP1 clients for the following use cases within the local domain:

Other use cases may (and probably will) work as the fundamental capability to authenticate users via Kerberos is becoming widespread amongst Windows-based applications (and is indeed Microsoft's preferred mechanism for authentication in an AD environment).

The instructions have been developed from older instructions for Windows Server 2003 and Windows Server 2008 AD installations, and should also work for those operating systems.

This procedure configures the Windows AD domain to trust the OX.AC.UK Kerberos realm (which contains all Oxford SSO users). The procedure include 5 main activities:

2. Prerequisites

You will need:

  1. one or more Windows Server 2008 R2 (also fully patched Windows Server 2003, 2008) domain controllers, set up in line with Oxford University's Active Directory pages;
  2. to make sure that time is synchronised with an NTP source. For Kerberos to function properly, all participating hosts must be within five minutes of each other (by default). Point the PDC Emulator in your AD forest to the OUCS NTP servers to achieve this, using the w32time service, configured using this Microsoft authoritative time server configuration procedure.

3. The Procedure

3.1. Obtain a Kerberos cross-realm Principal

3.2. Set a password for the Principal

When Sysdev create your Kerberos cross-realm service principal, they will also assign administration rights over it to the requested /itss principal(s) (of the form oxfordusername/itss) to enable you to set a password on the principal.

Setting the password and encryption type(s) for the principal

The above screenshot shows the /itss user authenticating, setting the password (and the encryption types) for the cross-realm principal using the cpw command, and then checking the current settings on the cross-realm principal using the getprinc command.

The -e switch on cpw defines the encryption type. RC4 is supported in Windows Server 2003 Service Pack 2 and later (and ALL your DCs will need to be at this level or above for RC4 to work). Since AES support was added in Windows Server 2008 it has become the preferred encryption type for the latest versions of Windows Server.

The list of encryption types in the image, for the convenience of copy/paste, is:

"aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal rc4-hmac:normal"

If you have an existing AD-MIT cross-realm trust running on Windows Server 2003 (SP2 or later) and you are migrating your domain controllers to Windows Server 2008 R2, it is important you reset the password and the encryption types as above, and then remove and add the realm trusts again as in section 3.3. Configure Domain Controllers prior to introducing the 2008 R2 DCs. This is to ensure that the key encryption types remain compatible.

NOTE: Make sure that you choose a very strong password, and keep it secure! You'll only need it to create the other side of the trust, so you're not going to need to use it very often. You should also ensure that it conforms to the strength requirements of your Windows system — this may mean three out of four categories of character (lower and upper case, numbers, and special characters).

3.3. Configure Domain Controllers

3.4. Map user principals to names

3.5. Domain Member Workstation (XP/Vista/7) and Domain Member Server Configuration

NOTE: Windows OS 'Home' editions do not have the capability to join a domain, so cannot be configured for AD cross-realm SSO login. The Windows OS editions listed below exclude all 'Home' editions.

4. Troubleshooting

In case of problems:

5. Current Problems

Problems that have been reported or discovered, with work-arounds / solutions where available, will be recorded on this page.

Windows 7 Workstation Hangs at Welcome Screen
Credential Manager issues have been seen in Windows 7, where the PC would hang at the Welcome screen. This was confirmed as an issue by Microsoft in and a hotfix was released. This fix was subsequently rolled into Windows 7 Service Pack 1.